IT professionals don't need a federal law to prod them into an increasing their efforts to defend against cyber threats. They know they are at war daily with attackers ranging from criminals to "hactivists" to nation states, looking to damage or steal everything from infrastructure to identities to money to corporate and government intellectual property.
But the debate continues over whether corporations and government agencies guarding their own turf is enough, or if government still has a major role to play, especially regarding critical infrastructure that is in private hands but serves a public function.
The Cyber Security Act of 2012 failed last month after a vote to end debate on the matter failed to get the necessary 60 votes. Business and civil liberties groups had both objected -- businesses saying they would be too heavily regulated and the civil liberty groups complaining of a lack of privacy protections.
But it should surprise no one that, as Human Events reported this week, the failure of that legislation has not stopped the private sector efforts to defend against increasing threats.
While corporations are not about to reveal their tactics or strategy, Larry Clinton, president of the Internet Security Alliance, told the House Energy and Commerce subcommittee this past February that a survey by the Ponemon Institute estimated private-sector spending on cybersecurity at about $80 billion in 2011. He noted that the entire 2012 budget request for the Department of Homeland Security was $57 billion.
But Ponemon, which collaborated with Bloomberg Government on the study, released in January, said $80 billion is still not nearly enough, especially for crucial industries and operators of vital infrastructure. The study was based on interviews with technology managers from 172 U.S. organizations in six industries and the government.
Bloomberg News reported that the study found "utilities, banks and phone carriers would have to spend almost nine times more on cybersecurity to prevent a digital Pearl Harbor from plunging millions into darkness, paralyzing the financial system or cutting communications." Financial companies would have to spend 13 times as much to achieve the same level of security, according to the study.
Lawrence Ponemon, chairman of the Ponemon Institute LLC, told Bloomberg, "The consequences of a successful attack against critical infrastructure makes these cost increases look like chump change. It would put people into the Dark Ages."
And even that massive increase in spending, the study found, would only boost those industries' capabilities from stopping 69% of attacks to 95%.
It would also not be enough to make the need for legislation moot, say security experts, who note that it should be obvious that business and industry will not share information with one another and the government unless they are required to do so by law, and are granted some protection from liability.
Joel Harding, a retired military intelligence officer and information operations expert, has been following Congress's so far fruitless effort to pass cybersecurity legislation with some frustration, but also with an understanding of political and business realities.
"Business and governments have different objectives when it comes to cybersecurity," he said. "But often government does not act, necessitating private-sector action to cause government action."
Harding said he hopes the failure of the legislation in August will prompt Congress to take the concerns of business more seriously. "If congressional language is not in line with what business wants, it might backfire in November, so a lot is on the line," he said.
Not everybody thinks federal legislation will make the nation's critical systems more secure, however. Liz Peek, writing in The Fiscal Times, contended that while President Obama is correct that cyber threats are "one of the most serious economic and national security challenges we face, she said, "the legislation he backed would not solve that problem."
"It calls for companies managing our power plants and stock exchanges to meet only minimal security standards while burdening those firms with costly compliance requirements," Peek wrote. "Moreover, it grants compliant organizations legal immunity in the event of an attack. In other words, companies would have arguably less incentive to truly protect our critical infrastructure than without the law."
"Passing the bill would have been another 'checked box' for the White House and for Congress -- nothing more," she added.
Peek cited Lamar Bailey, director of security research for nCircle, a security and information management company, who contends that Congress doesn't have the expertise to craft effective cybersecurity law. Bailey said his firm asked IT professionals at a recent gathering if they thought government regulation would improve information security for critical infrastructure, and 60% said no.
But Harding said the reality is that both government and business have a role to play, because some level of information sharing between the public and private sectors will be crucial in providing effective defense. He does agree it is going to be very expensive.
"To give the U.S. adequate security is going to take an extremely large sum of money," he said. " It is going to cause us pain, lots of it, but we need it to secure our future."
"The really good news is that I am seeing a lot of reports of the software industry finally taking security seriously," Harding said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.