At a session titled ‘Information Security Legislation: Implications for Security Professionals’ at last week’s RSA Conference in San Francisco, a group of seasoned security veterans gathered to discuss both pending and passed legislation, in addition to what the security community can do to provide input on bills currently being considered.
Some legislation regulates commerce, while others address ‘critical infrastructure’, and still more look to ensure national security during a cyber attack. “Now is the time to have these debates,” said Michael Assante, CISO of the North American Electric Reliability Corporation (NERC) and a veteran of Congressional testimony.
But, as Assante sees it, the trouble these bills present is scope. Because the US lacks a comprehensive cybersecurity bill that addresses all sectors, he wondered exactly who – or what agency for that matter – is provided with the authority to act when a particular system is compromised by a cyber threat?
From a commercial perspective, Michael Barrett, CISO of PayPal, said we simply do not “have a framework to really think about what the right set of legislative measures should be. It seems to me that the law of unintended consequences has not been repealed.”
When referring to the broad umbrella of ‘critical infrastructure’ protection, Barrett claimed “we are still using terms that frame the debate in very specific ways. We are viewing the problem of internet security as a technical one. I think we need to hit the reset button metaphorically and think about this as a regulatory problem”, he added. “It means we need to have very clear terms.”
Echoing Assante’s concerns over a lack of defined legislative scope, Barrett believes that the US has not discussed or developed a precise framework as to who is responsible for ‘policing’ the internet. He drew a parallel with road safety, in which the driver, the authorities, and the government all play their own unique roles in promoting the rules of the road, and vehicular safety in general. As he pointed out, to date, no such arrangement exists for defining actors’ roles in cybersecurity.
“If you are going to create a law, you should create a law for a reason”, affirmed Christopher Ipsen, CISO for the state of Nevada. “And you should create a framework for determining whether that law will be successful.”
Ipsen acknowledged that policy makers who are seeking to regulate cyberspace and the internet have to define what they are legislating, and what we are trying to achieve through the policy. “We are at a time when people are interested in cybersecurity” said Ipsen. “Now is the time to discuss policies. There are some greater good capabilities that government has a responsibility to achieve.”
Regardless of the panelists’ perspective, all agreed that it was incumbent on security professionals to make their voices heard on pending legislation affecting the internet. “We have to rally together as security professionals to help drive cybersecurity legislation”, implored Patti Titus, CISO of Unysis.
Titus concluded that only security professionals – whose hands are metaphorically dirtied every day by security issues – can provide the appropriate feedback to drive the most meaningful, comprehensive, and effective cybersecurity legislation. She called on those gathered to lend their voices to bills being drafted, and to contact their respective national and state policy makers to provide input.
To sum her call for action, Titus pleaded with her fellow colleagues: “We need to look at these legislative bills as an opportunity to help drive the types of behavior that we as security professionals know needs to happen.”