Tuesday, February 28, 2012

I Tried, But I Can't Dislike the Cybersecurity Act of 2012

I wanted to find a reason to dislike the recently proposed “Cybersecurity
Act of 2012”--but I couldn’t find one. (You can download and read the bill HERE).

Before reading the bill, I thought it was going to be another watered-down law that doesn’t address the problem of cyber-security at a national level, and doesn’t require (or facilitate) government agencies to talk to one another about their cyber-weaknesses. I was wrong.

The bill is a pretty good start for a long-term solution to remedying our nation’s cyber-security deficiencies, and here’s why:

1. The bill requires all federal agencies that maintain so-called “critical infrastructures” to conduct a comprehensive review of their cyber-weaknesses. (That’s a good thing, since everyone always thinks they have secure systems, until those systems are actually put to the test.) My suggestion: make sure that the self-assessments include all facets of security, including document retention and destruction policies, data migration policies and encryption policies. Security holes are sometimes found in garbage cans and dumpsters, and not just online.

2. The bills sets specific dates for compliance, using a phased-in approach. (Phased-in dates are always preferable to single-date deadlines that are usually randomly selected and have no relationship to real-life implementation activities).

3. The bill requires the government to speak to the private sector when setting performance and security standards. (I’m a big believer that the private sector knows best.)

4. The bill purports to be technology agnostic, and doesn’t require the use of any particular technology or software product by a federal agency. That’s an important point, since no single software or hardware solution can provide the solution sought by the government, and the ultimate security solution will likely rely upon a mixture of various hardware and software components.

But let’s remember
: disparate systems need to be able to work together. The degree of interoperability between security solutions MUST be considered, or we will end up with systems that don’t communicate with each other, which will result in security gaps and deficiencies. And that’s exactly what we’re trying to avoid, right?

No comments:

Post a Comment