Government has a very important role to play in legislating, developing and enforcing information security standards. While defining that role is very much an issue of debate, what is certain in my mind is that attacks are not country-specific, so governments must first identify the global standards already in place and focus their efforts on moving these forward. From there, countries can then make those standards fit into a framework that is unique to their own legislative, economic and social environments. This being said, there are some significant challenges to overcome in order for the government’s role in information and cybersecurity to be effective. Following are just a few examples, as I see them.
Particularly challenging with information security standards and legislation is that we strive too much for perfection and are not willing to be satisfied with ‘good enough’. Trying to accommodate every point of view makes a successful culmination of efforts impossible; when you try to please everyone, you end up pleasing no-one.
Another hurdle is powerful special interest groups, such as technology and critical infrastructure companies. If they decide to challenge enforcement or regulation, it becomes an obstacle that is seldom overcome. As with any legislation, people with different agendas put forth great effort to educate government officials. The legislative process becomes one interest against another, and the non-partisan advantage disappears. In addition, legislators who don’t have a technical background are at the mercy of industry influencers with a one-sided perspective, pushing their philosophy in the form of a ‘silver bullet’.
Common to governments around the world is a legislative dance between the extremes of command/control and regulation/compliance. It is very difficult for countries to resolve and commit to international standards if they have not resolved the private/public sector differences internally. For example, consistent application of guidance/regulation for US critical infrastructure is a battle for control between the infrastructure owners (with the private sector owning 90%) and government(s). The private side is often guided by the profit–loss line, and with 50,000+ facilities operating without consistent compliance standards, this high-risk scenario will continue.
Relationships between the various branches of government are often tenuous. For instance, in the US, developing regulations is not the job of Congress. Its role is to identify where laws are needed, but if we want cybersecurity legislation with ‘teeth’, Congress’ involvement is critical.
On the other hand, Congress can’t and shouldn’t do it all; a good working relationship with the executive branch is necessary to define compliance requirements. More importantly, if the two branches don’t have a good working relationship, the whole effort gets stalemated – as we have come to observe over the past year.
Globally, information security standards are extremely complex to navigate, legislate and enforce. This makes the process very time-consuming and slows the entire effort. The good news is that, by governments getting involved, the issue of information security has elevated in importance as a global priority. Without the involvement of governments, there will continue to be the silo effect of independent operations and processes, with numerous ensuing conflicts.
What should governments do to move information security standards forward despite these challenges? Governments should be distinctly represented on information security standards bodies and contribute equally among industry stakeholders; seek to be educated from the broader technical community and be extremely leery of any ‘silver bullet’ philosophies; maintain the distinct roles between branches and strive for collaboration; and reset the expectation of ‘perfect’ cybersecurity operations.
In the meantime, finding the correct balance between standards, legislation, regulation, guidelines, and simple collaboration remains a nightmare.
W. Hord Tipton is the executive director of (ISC)² and a member of Infosecurity’s editorial advisory board. He has over thirty years of business experience, including CIO for the US Department of the Interior, director for international programs for the US Minerals Management Service, and engineer for Union Carbide. He has been a member of the (ISC)² Board of Directors since 2005, and the (ISC)² US Government Advisory Board since 2004. Tipton holds a BS from the University of Morehead and an MS from the University of Tennessee. He is a recipient of the Distinguished Rank Award for government service from the President of the United States.