by Ben Tomhave | January 14, 2015 | Comments Off on You Can’t Fix Stupid: Renewed Calls For Cybersecurity Legislation (U.S.)
(yes, I’m feeling a bit cheeky today;)
As you’ve undoubtedly heard by now, President Obama renewed calls increased cybersecurity legislation, all apparently because Sony Pictures Entertain (SPE) got hacked? If you’ve not heard, check out the mainstream press coverage here:
- President Obama’s Letter to the House of Representatives
- SECURING CYBERSPACE – President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts
- Yahoo News: Obama says hacks show need for cybersecurity law
- Reuters: Obama seeks enhanced cybersecurity laws to fight hackers
Additionally, the SEC has signaled that it’s considering increasing their disclosure requirements. This is perhaps a bit more sensible than the proposed legislation, since stakeholders have a right to transparency in the companies they’re supporting in order to better manage their investment/portfolio risk.
The EFF has come out with a rebuttal to the President that pretty much captures most of the security community’s response to the proposal. tl;dr: the proposal is political rubbish, as per usual.
A few quick thoughts… and, note, this represents my personal opinions, not the opinion of my employer, etc, etc, etc….
1) You can’t legislate away cybersecurity “risk.” And, you certainly can’t do so with checklists alone. The simple fact of the matter is that we continue to move through a transitional period in the midst of the digital industrial revolution, and until humans and automation catch-up with other technological advances, stuff is going to happen. While we should be holding people/organizations accountable for poor decisions, that does not mean we should be defaulting to a checklist-based approach that will never be complete or adequate.
2) Bringing back broken old ideas doesn’t suddenly make them good ideas. CISPA and related cybersecurity legislation insanity were never good ideas, and these proposed changes aren’t any better now than 3-4 years ago. Some have argued that the proposed changes would make most security research illegal, and it’s probably not too far off the mark this time. Because that’s worked so well in the past…
3) Making illegal actions more illegal doesn’t stop them. There’s a certain fallacious logic floating around these days that simply boggles the mind. It started with anti-Second Amendment (“gun control”) legislation, and continues now with these cybersecurity rules. Criminals don’t obey the laws. If they did, they wouldn’t be criminals. The attack on SPE is absolutely a violation of federal law under CFAA. And, while it’s true that CFAA really needs to be revised (it truly sucks), increasing penalties is in no way a solution, nor is making other security-related activities illegal going to help at all. If the deterrence isn’t sufficient, then certainly, make those tweaks. However, at the same time, let’s remember that an attacker based outside our jurisdiction is not going to be deterred by any laws inside our jurisdiction. Making changes that punish the security community for doing research is patently unhelpful.
4) The “right” solution is to make people responsible and accountable. I’ve written about this several times before (see here and here for a couple older examples). The fundamental problems are that businesses still aren’t acting responsibly around infosec and IT risk mgmt., nor are they accepting responsibility. Let’s consider, for example, just how pwnd SPE has apparently been. How is that even possible in this day and age? They’re not a small company. Without knowing all the details, I have to wonder at fault tolerance there, as well as monitoring, detection, and response capabilities. There is a certain degree of culpability that enterprises must accept insomuch as they are ultimately responsible for ensuring that they’ve met a reasonable standard of due care. And, to a degree, it seems that most businesses experiencing large compromises in 2014 were somewhat resilient, but are they resilient enough? That remains to be seen…
5) We have to push to the next generation of security practices, which means DevOps and security ops automation. As the title of this piece suggests, you can’t fix stupid, which is a glib way of pointing out that humans are fallible (and quite possibly dangerously ignorant). However, more importantly, we need to realize that traditional security practices simply do not scale. If they did, and if checklists were sufficient, then we wouldn’t be having these conversations. Instead, we’re finding that we simply don’t have adequately scalable solutions and resources. The only answer will be automation in the security space in order to at least improve the signal-to-noise ratio (SNR), cleaning up all those high-frequency/low-impact events, instead of having IT and opsec resources in constant firefighting mode, unable to see the forest for the trees.
When all is said and done, some rule changes may help move the needle. For example, NIST’s current draft of SP800-171 is particularly interesting insomuch as this will mandate cybersecurity requirements for private industry via FISMA and the acquisitions process (that is, if you want to do business with the USG, then you’ll need to demonstrate a modicum of infosec due diligence). However, there will be limits to changes like this because infosec cannot be solely addressed through checklists. As upcoming research will discuss, a two-pronged approach to security is necessary that combines checklist-based basic security hygiene with a risk-based approach to enhance, extend and mature specific practices to best serve the needs and risk tolerance of the business.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.