You're on Your Own

Purposeful View: Once again, Congress bails on a cybersecurity bill (by Walt Lapinsky, 29 November 2012)

microscope

The White House has been unable to get a bill passed by Congress to improve the cybersecurity of critical IT infrastructure in the US. Therefore, the administration released earlier this year a draft Executive Order (EO).

In the face of this mounting concern, on November 14, 2012, the US Congress again quietly failed to act, pushing any action into 2013.

Part of the EO asks industry to voluntarily submit cyber threat information to the government. In theory, this information could not be used for regulatory purposes or used against companies. However, the EO does not offer any liability protection to companies – only Congress can do that.

The EO does not advocate any specific technology or even an approach to remediating or mitigating risks. On one hand, this is good as the government is notoriously slow on approving specific products, with the approval time measured in years. In almost all cases, a product is obsolete before it is certified. On the other hand, it is not clear what value it could possibly derive by not at least providing requirements on security solutions.

We do need a consistent nationwide security framework, especially for critical infrastructure like finance and energy generation and delivery. It should also be carefully monitored to insure that it does not actually decrease the security of these infrastructures by collecting protected data in yet another set of government databases. This is especially problematic, as the EO does not include any of the reforms to the Federal Information Security Management Act (FISMA) that were in the Senate bill. FISMA is chartered to protect the US critical information infrastructure.

No matter how big or small your business is, you need to be aware of the potential risks of a security breach. Over 70% of the successful attacks in 2011 were against relatively small organizations with 100 or fewer employees. Criminals have changed their focus to opportunistic attacks against weaker targets. They find an easy way to prey on the unsuspecting, the weak, and the lame, and then simply repeat on a large scale.

How does the Cloud help? It helps by significantly reducing an organization’s risk. Almost all (94%) of compromised data involves web, application or database servers. These servers are often the first component that an organization moves to the Cloud.

Even more breaches (97%) can be avoided through simple or intermediate controls, such as keeping operating systems, network components, and other software up-to-date with all security patches. Cloud Service Providers are very good at these kinds of conceptually simple but potentially operationally difficult tasks. Managing IT is their core competency.

Our view: This EO should not make you feel safe. You are on your own to protect your data and your business. You should not relax. You are still responsible for the security of your data, and it is you who will pay the price for any data breaches that occur.

Comments? Questions? Contrary views? Some event we missed?
We welcome your feedback at talk@purposefulclouds.com

Purposeful Clouds helps companies assess and plan their best options for Cloud technology adoption, with before-the-fact consideration of contingencies, ROI, and further migration strategies. To discuss how we would be able to help you make the best decisions, contact us at info@purposefulclouds.com.

Download the View.