National cyber security leadership starts now
We recently had the privilege of hosting Melissa Hathaway, cyber security chief at the National Security Council, at Symantec’s Government Symposium, our annual conference for public sector customers and government officials.
In one of her first appearances following the White House announcement of the 60-day cyber review results, which examined the country’s preparedness against cyber attacks, Ms. Hathaway outlined the report’s recommendations to help the United States achieve a more reliable, resilient, and trustworthy digital infrastructure for the future.
Development of the report is a reflection of the Administration’s commitment to addressing our nation’s cyber security and elevating it to the national priority that it deserves. We whole heartedly support President Obama’s efforts and appreciate his leadership on this initiative.
The report recommends that the president names an official who would be responsible for coordinating the nation’s cyber security policies and activities across government. This is a critical and necessary position that should be a senior adviser in the White House.
The recent mass denial of service attacks on the websites of various U.S. government agencies in early July, serves to emphasize the need and urgency for such a position to be created.
With that in mind, there are several actions that can taken by Congress right now – immediately – to increase the nation’s cyber security and to help the cyber security coordinator hit the ground running once that position is named by the White House.
Specifically, I would recommend that lawmakers pass three cyber security-related pieces of legislation currently being considered by both the House and the Senate.
First, we need a national data security breach notification law. Legislatures in 46 states have already passed laws requiring organizations or individuals that conduct business in those states to notify customers when their personal information has been put at risk.
The trouble is, having so many different policies, notification triggers, deadlines, and civil penalties to consider makes compliance more difficult and uncertain for companies that do business across state lines. More importantly, this piecemeal approach to security falls far short of helping the very people such legislation was created to protect. A federal data breach notification law—based on the toughest version of any state law—would provide organizations a uniform standard from which to operate and, ultimately, better benefit every citizen of this nation.
Next, we need to reform the Federal Information Security Management Act (FISMA). The cyber security landscape has changed dramatically since 2002 when FISMA was first signed into law. Cyber criminals now operate in a professional underground economy that makes it easy and lucrative to buy and sell stolen identities, credit card numbers, bank account data, and other personal information. Botnets are used to launch crippling denial of service attacks on public and private sector networks and steal sensitive information.
The threat of cyber warfare and state-sponsored cyber attacks has increased over the years since FISMA was established, creating questions about rules of engagement and challenges regarding government agency preparedness.
New vulnerabilities in federal government information systems urgently need to be addressed to ensure that federal information security practices keep pace with the evolving and increasingly organized threat landscape. FISMA also must be updated so that agency chief information security officers have the necessary authority to enforce security requirements over agency networks and systems.
The third piece of legislation that should be passed is the Critical Electric Infrastructure Protection Act, sometimes referred to as the Smart Grid Act. This Act provides guidelines and policies needed to establish a base form of security to protect the nation’s electronic grid from cyber attack. More specifically, the law would protect the nation’s energy grid and the network used for the transportation of electricity and natural gas throughout the country.
These steps can be taken now, even before a cyber security coordinator is appointed. Indeed, they should be taken now to protect the digital infrastructure this nation requires to live and thrive.