Government's Role in Information Security: Leave it to the Experts

Daniel R Walsh says government should not have a role in creating and enforcing information security standards
Daniel R Walsh says government should not have a role in creating and enforcing information security standards

Should governments be taking an active role in developing and enforcing infosec standards? In my opinion the answer is an unequivocal ‘no’. It should most certainly should be left to the experienced and qualified professionals who actually know the requirements. Security professionals can more effectively implement any standards without being tied up in a legislative debate, which takes an inordinate amount of time. Because they are elected, legislators are typically far from security savvy.

There are accepted international standards, such as ISO, that are constantly being updated and that only a fully qualified security expert can deal with. New threats are emerging from all over the world on a daily basis, and only true professionals with a ‘finger on the pulse’ of what is actually happening can deal with – and counteract – the effects these threats might have on a network environment.

With the ever-changing dynamics of the internet and the need to ensure we stay one step ahead of cybercriminals, it takes a dedicated type of expert to keep us safe. The internet is much safer in the hands of global experts, who can constantly monitor both activity and compliance to industry standards.

National governments and their respective security services must monitor the internet because, in this day and age, many terrorist organizations are using it to spread their evil works. So cyberspace has to be monitored, but actually controlling it and enforcing standards, in my opinion, would be a disaster. It must remain independent.
Security professionals spend many years learning their craft, attending conferences, exhibitions and seminars, doing an inordinate amount of reading and study. To achieve any level of competence, security professionals must know the current threats to their environment to optimize the smooth operation of their networks.

Throughout the world there are people who are ‘cyber experts’, but for whatever reason decide that they will use their expertise for adverse means – developing, launching and distributing viruses and other malware. Normal people would consider this to be pathological behavior, and many people have suffered irreparable harm from these exploits. So the effects in terms of time and work lost cannot be understated.

If we look at only one aspect of internet activity, e-commerce, we see there are standards, processes and procedures that have to be taken into account before any ‘live’ transactions take place. Standards such as PCI DSS, ISO27001/2 , and the UK’s Data Protection Act are combined to ensure that our financial details are properly stored and protected. How can we reasonably expect any national government to keep up to date with these ever-changing standards? We cannot, and should not.

If we look at just two of the aforementioned standards, ISO27001/2 started out its life as BS7799, a British standard. Over the years this standard has changed in keeping with the evolution of internet usage and threats, and with appropriate changes it has now become a recognized international standard.

Another standard is the Data Protection Act, which today – through International consultation – has migrated from being a desired practice to become an industry-recognized standard in the UK. In Europe it is EU95/46, with each European country having its own particular ‘twist’ on it, depending on the country’s requirements. Finally, large portions of EU95/46 have been adopted by the US in their entirety, where it is called Safe Harbor. 

These examples demonstrate the ever-changing requirements for protecting cyberspace, which must be managed by dedicated infosec professionals. Any move toward having governments take over this role would only leave a faceless organization managing what is an excellent tool. The internet, when used properly and managed accordingly, makes this a much smaller world, offering powerful opportunities to educate, enlighten, and engage in e-commerce activities. Long may the status quo prevail.

Daniel R Walsh is the director of business development – biometrics, identity management and compliance, for CiRRUS Management Solutions Ltd. As chairman of the Human Identity Management and Biometrics Consultation Group and a member of the International Social Security Association, Walsh recently joined CiRRUS with a wealth of industry experience, having delivered keynote speeches and given talks on the history of biometrics all over the world. He is based at CiRRUS’ office in Abingdon, Oxfordshire, UK.

What’s hot on Infosecurity Magazine?