For better or worse, the United States government in all its forms is becoming more active in cybersecurity. Thanks to the rise of high profile ransomware cases, Russian hacks into databases operated by Democratic National Committee and an ongoing legal battle over encryption and the right to privacy, politicians and government bureaucrats are paying more attention to IT security.
In fact, at an American Enterprise Institute event this week on Capitol Hill, U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) announced the creation of the ‘Senate Cybersecurity Caucus’ to provide a platform for Senators and their staffs to stay informed on major policy issues and developments in cybersecurity. That means it’s only a matter of time before more IT security regulations start to show up as a matter of law.
How far those regulations might go is a subject of intense concern for the IT industry. Some argue that a history of shipping the “minimal viable product” has left the IT industry as a whole open to more potential product liability regulation. After all, government officials will almost inevitably going to look to pin the cybersecurity blame on all the vulnerabilities that keep getting exploited by cybercriminals on someone other than law enforcement agencies that work for the government.
At first blush all this increased interest in IT security may seem like a positive development. But the history of IT security shows that the setting on IT security standards generally creates a minimal bar that companies are supposed to hit. The trouble is that most organizations then tend to think of IT security as a compliance issue. The end result is that for a few fleeting moments during an audit organizations will meet the bare minimum IT security requirement. A couple of configuration management changes later, and all IT security bets are off again.
Naturally, cybercriminals will also know where those bars have been set. They’ll focus their efforts on end running the prescriptive requirement set by the government agency. Cybercrime will therefore continue to thrive; except for the fact that organizations will be paying more for IT security products and services that meet a minimum regulatory standard, and nothing more.
To break this dysfunctional approach to IT security, the entire culture surrounding the IT community has to change. Developers and manufacturers need to view security as a fundamental requirement for shipping a minimally viable product. IT organizations need to proactively manage security in a way that goes well beyond simply meeting compliance requirements. IT security needs to be a fundamental element of any digital business strategy. Courts need to view the lack of appropriate IT security as reckless, and open the door to higher awards. Clauses that attempt to absolve companies of responsibility for IT security need to be stricken from business contracts. Insurance companies need to charge higher premiums for organizations that have a bad IT security record.
Increased government focus on IT security can be both a blessing and a curse. Given the amount of gridlock in Washington it might be years before anything, if ever, comes of all increased scrutiny. Of course, the most effective action of all would be for IT organizations to vote with their dollars. Business contracts could stipulate levels of IT security that allow organizations to be compensated for losses stemming from inadequate IT security around known vulnerabilities. That assumes, of course, all relevant patches have been applied in a timely manner. Long story short, there are bad people out there making a mockery of IT security. The trouble is that as an industry we still make it way too easy for them to do that.