First of all, I wanted to applaud your swift action to hire Melissa Hathaway to examine the nation’s cyberdefense strategies and move forward with a better plan. I think I speak on behalf of many within the information security field in saying that this is a positive step in securing the information infrastructure within the United States. As Byron Acohido described in his most recent blog , Hathaway has proven quite capable of integrating disparate agencies with their own agendas into working together.
Which leads me to the point of this letter. I think that Hathaway will find in her review of our cybersecurity strategy that the private sector plays a critical role in shoring up the security of our nation’s infrastructure. The simple fact of the matter is that many of the systems that keep our country running reside in the hands of the private sector. In order to truly secure the nation, she will continue her role as an integrator, this time working with disparate private entities.
This is not a new issue; in fact, back when Richard Clarke was cyber security czar, I remember him saying to the effect that the government came to a realization that if they were able to make every system they had impenetrable and perfect, that they’d still only protect about 40 percent of the critical infrastructure in the United States. In many ways the government has already begun tackling this issue through the development of agencies and taskforces that have established a public-private security dialogue.
And yet, security problems still continue to plague us. The nation needs to move beyond simply talking about ways to improve private sector security and actually act. And the only way that can happen is if companies large and small have an incentive to do so. Right now it is financially difficult for companies to survive, let alone think about security.
We’ve already tried the stick—regulatory requirements such as Sarbanes-Oxley and HIPAA have given basic security ultimatums to companies around the country. Sadly, though, regulations don’t always guarantee security and they often have unintended consequence. Years of experience are starting to show that when it comes to the compliance with these well-meaning regulations, companies are following the letter of the law rather than the spirit of the law.
Many companies are in a checkbox compliance mode. They’re doing the bare minimum required to appear compliant and appease regulatory auditors, with little regard to whether or not their actions actually make the company secure. This is unfortunate when we consider that most regulations were designed only to offer a very basic guide for getting a security program off the ground.
This is why we must now introduce a carrot. We need to find a way to encourage businesses to improve their security practices—without imposing additional cumbersome regulations that will not substantially improve our nation’s security posture. So how do we do this while allowing businesses the choice and the creativity to address risks as they see fit?
I believe the answer is to institute tax benefits that give businesses tax credits for making security improvements above and beyond government or industry compliance mandates. Doing so gives businesses positive incentive to improve their security practices and financial leverage to introduce technology tools that they may be hesitant to purchase in light of the current economy.
Take a company impacted by the Payment Card Industry Data Security Standard (PCI DSS), for example. This industry-imposed regulation specifies minimum security practices required of companies that handle credit card information. One of the requirements is that the business installs a software patch within 30-60 days of its release from the vendor. That’s all well and good—a definite advance over not installing the patch at all. But the company would be most secure if it installed automated patch remediation that provided a way to install the patch within hours of its release. Under my proposal, such a measure would make the company eligible for tax credit.
While this plan would cost the country some money on the front end, it would be a sound investment. Just as you’ve encouraged us to strengthen the nation’s physical infrastructure such as bridges, roads, power grids and sewers, I believe you also need to lead us to a stronger information infrastructure.
Not only will it ensure the country keeps running smoothly, it could also potentially save us a lot of money in the long run. According to McAfee, data theft and cybercrime is costing the global economy $1 trillion per year. That’s approximately equivalent to the amount of money Congress voted to put back into the economy under the American Recovery and Reinvestment Act of 2009, and we’re losing it every year. Granted, it’s a global figure, but many of those losses occur in the United States.
Imagine if we could cut those losses. The economy would see a massive boost each year equivalent to the recent stimulus package, with a fraction of the government investment. And our nation would be imminently more secure.
Thought this report I wrote was relevant, I thought it was at least funny, and somewhat intelligent regarding the lack of MSFT security and IT. It got pretty long. Just days after I posted it, MSFT partnered with RSA for end-to-end security and DLP. Maybe they read the first few pages, hah. It’s quite cynical but just proving a point, I am all for interoperability but I had to apply some Linux bias to get my point across to the targeted audience (Microsoft developers who write bloated, insecure code, and MSFT MVPs who champion it for everyone regardless of the price or risk). Hope you enjoy, I hadn’t gone on a rant in a while. Comments welcome.
KG