Across the board, cybersecurity legislation baldy needs an update. President Barack Obama’s recent cybersecurity remarks and State of the Union address have reignited the conversation around cybersecurity legislation — and that’s a good thing. Most of the existing regulations were based on issues surrounding telephones or antiquated systems of communication that are from 20 to 30 years ago. Regulations that were made in pre-cellphone times cannot be expected to handle today’s sophisticated threats and challenges. They haven’t kept pace with the forms of digital communications we have today or the diverse threat environment that we are facing — and they badly need to catch up.
Courts can respond only to — and attempt to interpret — those laws that are on the books. Unfortunately, until regulations are updated, that means court decisions are going to be based on interpretations of outdated laws.
In addition to anachronistic laws, companies also are facing confusing ones. Right now, organizations must deal with a daunting patchwork of state, federal and international legislation that often combine outdated viewpoints and conflicting goals and objectives relative to cybersecurity and data privacy.
A January 2015 survey conducted by global IT association ISACA (on whose Cybersecurity Task Force I serve as chair) found that three-quarters of respondents agree or strongly agree with President Obama’s proposal for national breach disclosure legislation. This finding makes sense. The current system of dozens of U.S. state laws makes it very challenging, expensive and complicated for businesses and unpredictable for consumers.
Most companies believe that a uniform approach to breach reporting would simplify the process and reduce costs. Cybersecurity truly seems to be a bipartisan issue, and having the federal government step in and create a uniform approach to breach reporting could benefit both companies and consumers.
Some worry that attempts to protect individuals and organizations from cyberattacks will encroach on attempts to protect civil liberties. But the real issue comes down to this: We can’t protect people’s civil liberties if we don’t have better security in place. We have to define what effective security requires, and we have to define what we are trying to protect. If we can lay that out clearly, we can create a strong balance between security and privacy.
Another area that would strongly benefit companies (and, by extension, individuals) is intelligence sharing. We know there is a greater desire for collaboration among the public and private sector, but potential liability issues for companies that share information with the government or each other often hinder organizations from coming together against a common adversary. To facilitate information sharing, it will be necessary to reduce those liabilities or ensure exclusion from liability. There has been legislation on the table in the past that would have reduced those liabilities, but that legislation has never made it past the houses of Congress.
Significant care must be taken for information sharing to be widely accepted and to truly work — but in the end, information sharing can only help us. Our cyber adversaries are prolific sharers of information — about us. The good guys need to improve in that area to stay ahead.
It is also important for governments to come together at the global level to define cybersecurity norms and responsibilities. What constitutes good behavior by a specific country relative to cyber norms? When is hacking by a country inappropriate? When does something cross the line? We don’t have sufficient norms and responsibilities defined at the global level, which makes it difficult to handle issues when they arise. We need countries to come together and define these, and it must happen before a major cyberincident occurs.
It will take some time for all of this to be accomplished. In the meantime, companies should be proactive and embed cybersecurity at the start of all projects and through the entire organization. Cybersecurity workforces must be robust, and all staff and service providers should be trained on how they can contribute to cyberdefense.
In the event of a cyberbreach, organizations must seek a broad range of assistance. They should look internally at all of the stakeholders that should be involved — not just IT, but all areas of the business, from legal to business unit support to HR and communications.
Then, they should look outside for expertise — to service providers, law enforcement agencies, government agencies and other companies in their market sector — to find skills and competencies they don’t have and to get the help and collaboration they need. It is critical to develop an ecosystem of support.
What is it going to take to ultimately get where we need to be? Cybercriminals are so far ahead of us at this point, and one thing is very clear: It is time for us to take action to protect our children, our information, our infrastructure, our governments and our businesses.Eddie Schwartz is chair of ISACA's Cybersecurity Task Force and president of White Ops Inc.