For several sessions in a row, federal cybersecurity legislation has been stalled while a squadron of lobbyists debate whether mandated compliance with federal standards will help or hinder IT security efforts in the private sector. The Administration is concerned that voluntary compliance will not produce the level of response that is appropriate to the current national critical infrastructure threat, and industry is worried that mandatory compliance measures will come with penalties that would be based on arbitrary decisions. So far, it’s a standoff.
No matter how that debate ends, the fact is that standards compliance is the metric of choice in the commercial world for determining liability and establishing due diligence: But who determines whether compliance for the standards has been met?
The difficulty of resolving this problem is demonstrated in an Infosecurity magazine article that reports on a conflict between credit card issuers and the merchants who are required to comply with the PCI Data Security Standard that applies to systems that process credit card transactions. The card issuing companies have the authority to audit merchants and fine them if they are found non-compliant with the PCI standard. The fines can be very large and are not consistent across the industry. They are deducted from the transaction income owed to the merchants by the card issuers, and the merchants have to go to court to dispute the audit findings and (maybe) recover the fines – a process they consider quite unfair. What makes this even harder to swallow is that these fines are actually an income stream to the card issuing companies. In other words, card issuers have an interest in finding the merchants “non-compliant”.
The card issuers argue that the fines protect them from the cost of breaches that originate in merchant systems – the merchants argue that mere compliance doesn’t protect them from breaches. The relief that merchants seek is defined by an independent body that will conduct the PCI audits and set the fine structure. Just as with the bank transactions and FFIEC compliance, the courts can offer equity, but not “security.”
In the national security space, the big question is how you define “equity” when you are talking about the security of critical infrastructure? The difference in the two worlds is substantially different in that one impacts commerce and the other impacts the lives and existence of countries. What structure of fines would compensate for the loss of highly classified intelligence or the destruction of a major dam or railway? And how do you calculate the fact that our installed base of software throughout both government and private sectors is inherently insecure? There are no simple answers to any of these questions, yet there is an imperative to address the threat that provokes them.
One thing is for certain: the security program that limits its focus to the technical and tactical components of this fight will be woefully unprepared to address the risk management components that arise while navigating these turbulent, strategic waters.