The recent presidential debates have certainly left me wondering just how qualified the candidates are when it comes to issues regarding security. Except for the obligatory comments related to border security, it is difficult to discern a genuine tone. When they do broach the subject of cybersecurity, GOP solutions are no more substantive than President Obama's.
When a series of high-profile events in 2010 and 2011 — including the espionage hacks on Google and Western energy companies (WSJ), the Stuxnet infiltration of Iranian nuclear sites, and the targeting of government networks in South Korea — we all bore witness the multi-faceted threat of cyber-attacks. But as our national cybersecurity policy continues to evolve to meet these challenges, and those of protecting vital power grids and financial networks, are we missing the big picture? Although the Obama Administration has made cybersecurity a cornerstone of policy initiatives, has enough been accomplished? Mandates like FISMA and HSPD-12 are high-profile, but are they effective?
"HSPD-12 is an admirable directive in concept, but has unfortunately failed thus far to meet its objective," says Tony Busseri, CEO of Toronto-based Route1 Inc., who shared his comments with me for this column. Route1 is a security and identity management company with a world-wide footprint. "Identity management and data entitlement are serious concerns for the U.S. government with potentially catastrophic consequences, but there have been no consequences for organizations that have not complied, and no impetus to force its implementation," Busseri continues.
When the Obama Administration delivered its comprehensive cybersecurity strategy to Congress last May, it received a lukewarm reception by industry groups. After more than two years effort by the White House to lay the groundwork for the protection of critical data, it has led to a consensus that the strategy lacks in depth and breadth. The Administration's cybersecurity policy is seen as long on defining federal authority, but short on providing incentives for the private sector to make the necessary investments in security technology and best practices.
Busseri couldn't agree more. "The headline comments are the outcome of an ineffective cybersecurity plan, plain and simple," he says. "The core elements of the digital security risk for the U.S. government focus on two primary issues from our perspective: (1) Are you properly authenticating a person, and if you aren't, how do you know that the right person was given access/entitlements to the digital assets; and (2) are you in control of the digital asset? If data goes outside of the organization's firewall, how do you ensure its integrity, and further, if you open up windows for the data to move outside of the firewall, are you creating additional vulnerabilities to your 'fortress' for viruses, malware and other cyberattacks?
"The U.S. government should focus on authentication and keeping data safe and secure behind the firewalls," Busseri adds. "If you accept the premise there is no such thing as 'perfect security,' then the goal has to be addressing data security risk by minimizing vulnerabilities."
Busseri doesn't believe any of the GOP candidates have a more insightful road map to ensuring cybersecurity for both the public and private sector than the Obama Administration. "None of the candidates has truly addressed the subject to my understanding," he says. "In today's volatile environment, where we face cyber-threats at every turn, security has to be considered a strategic issue."
My bottom line is that Congress should be giving companies incentives to boost cyber defenses and not rush to impose new regulations except in sensitive sectors like nuclear power, electricity and other utilities. In the end, cyber-espionage is presenting the clear and present danger to America. Doesn't it make sense to protect our economic engine by eliminating barriers instead of creating them?
If you have any comments for Steve Lasky regarding this or any other security industry-related issue, please e-mail him at email@example.com.