In previous blogs urging businesses to take action to stop the Senate from passing the Cybersecurity Act of 2012, I stated that Congress really did not know the security posture of most companies and that they lacked a credible basis for pushing “cybersecurity practices” on businesses. Senator Rockefeller proved my point on September 19 when he sent a letter to the CEOs of Fortune 500 companies asking them what best practices they have adopted, how they were developed, who developed them, and when they were developed and updated. If he had to ask the largest U.S. companies about their security posture, he clearly did not have any factual basis for trying to push cybersecurity practices upon them.
Senator Rockefeller’s rather lengthy list of questions also asked these businesses about their concerns are regarding the Cybersecurity Act of 2012. If they choose to respond to his letter, I hope every CEO and their legal counsel and will take time to understand the problems with this badly flawed legislation. My blog that outlined the problems with this bill may be helpful. The Senator’s question about concerns with the bill’s “voluntary program” to develop cybersecurity best practices is especially slippery. The “program” to develop them may be voluntary, but it is doubtful that the “practices” will be.
If Senator Rockefeller wants to hear, as he says, “directly from the chief executives” of America’s top companies, why doesn’t he ask them to come testify? This is important information that everyone — including investors — would have this instead of one Senator. Better yet, why doesn’t he push for legislation that requires public companies to indicate in their SEC filings whether they have undertaken all the activities that comprise a full enterprise security program? Such a requirement would not mandate that certain activities be performed; it would simply require information in company filings regarding whether it had or had not performed the various activities required for an enterprise security program. Companies would have to be truthful in providing this information because it is illegal to put false information in SEC filings, and, if the company had a breach and it was investigated, a full security program could not be pulled together in one or two days. This information in SEC filings would trigger market forces, and companies would start ensuring they had a strong security program. It would jumpstart a culture of cybersecurity, with non-public companies following suit.
This was not Senator Rockefellers’s first letter to top executives fishing for information. Four months ago, Senator Rockefeller sent a similar letter to Dave McCurdy, president and CEO of the American Gas Association (AGA). In that letter, he inquired about an AGA report called AGA-12 and efforts by the AGA to develop security standards for SCADA systems (supervisory control and data acquisition). Senator Rockefeller was concerned about a Christian Science Monitor article which reported that these standards had not been implemented. In a lengthy reply, Mr. McCurdy noted that the AGA-12 report was developed by the AGA and others to raise awareness within the industry about cybersecurity. The AGA Cryptography Working Group was subsequently formed to examine how encryption could be used to help protect SCADA systems from attack. The first part of this Group’s work was a report “intended to serve as a guideline for voluntary implementation of a comprehensive cybersecurity posture.” The second part of the AGA Group’s work was to create guidelines for manufacturers to create encryption modules that could be used with existing systems. This work was quite technical and resulted in various technologies being brought to the marketplace.
In his reply to Senator Rockefeller, Mr. McCurdy carefully noted that as products became available under the program, antitrust laws prohibited the companies from joining together and choosing one product over another. He also said that some pipeline operators expressed concern that that the technologies might interfere with operational safety. Mr. McCurdy pointed out that technical solutions must adapt to unique system configurations and operations, thus, a one-size-fits-all solution was not realistic. In addition, he noted that it was not wise to select one solution or requirement for the industry sector because it would make all pipeline systems more vulnerable since there would be one known configuration or path to attack.
Mr. McCurdy, a former Congressman and chair of the House Intelligence Committee, is acutely aware of the risks associated with cyber systems. In his reply, he boldly rejected the Senate’s inclination toward regulation by declaring that “legislation should recognize existing government/industry partnerships that work, rather than usurping them with mandates and administratively burdensome regulation that might hinder timely implementation and strategic cybersecurity defenses.”
Senator Rockefeller’s letters to the AGA and Fortune 500 CEOs also reveal a lack of understanding about cybersecurity standards and best practices and enterprise security programs. They are not developed in isolation; rather, they are developed by security experts, government officials, and private sector representatives working closely, often on several efforts. His questions regarding best practices are not easily answered, and it is certainly doubtful that any CEO will know the answer to what best practices have been adopted in their company, how the best practices were developed, who developed them, when they were developed, and when were they updated. Most CISOs would not know the answer to these questions.
For starters, there are several internationally-accepted best practices and standards for cybersecurity and many companies have implemented all or parts of several of them. The best known are:
- The ISO 27000 series
- Information Technology Infrastructure Library (ITIL)
- International Society of Automation (ISA)
- Control Objectives for Information and Related Technologies (COBIT) developed by the Information Systems Audit and Control Association (ISACA)
- Payment Card Industry Standard (PCI)
- National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800) series and Federal Information Processing Standards (FIPS)
- Information Security Forum (ISF) Standard of Good Practice for Information Security
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) developed by Carnegie Mellon University‘s Software Engineering Institute
- Internet Engineering Task Force (IETF)
- Institute of Electrical and Electronics Engineers (IEEE)
- North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP)
- U.S. Nuclear Regulatory Commission.
These materials are voluminous, detailed, and cover technical, operational, and managerial aspects of cybersecurity. For example, there are 188 information security standards developed by ISO. All of these standards are revised, rewritten, deleted, and supplemented on an ongoing basis by people who work tirelessly in this area and ensure that these standards also are fairly harmonized. This is critical because when companies engage in mergers and acquisitions, they have to merge their IT systems and security programs, and each of them may have followed different best practices for their security program. Which standard or best practice is largely irrelevant because the standards are harmonized and the basic activities to be undertaken are largely the same. The most important aspect in assessing any cybersecurity program is to determine whether specific activities have been undertaken instead of focusing on which best practice or standard is followed. It is also important to remember that these activities have to be conducted to suit each organization’s own culture, operational criteria, and system architecture.
The most troubling aspect of Senator Rockefeller’s Fortune 500 CEO letter, though, was his statement expressing bewilderment at why business organizations were opposed to the Senate’s plan for a “voluntary program” to create cybersecurity practices and reasoning that:
This private sector-led approach strikes me as one that companies would want to have codified in statute, rather than risking reactive and overly prescriptive legislation following a cyber disaster.
Read that again. To suggest that Congress should saddle businesses with laws and regulations (Administration officials have admitted that they intend to make the cybersecurity practices mandatory after they are developed through the “voluntary program”) simply because Congress is likely to over react after a serious event is mindboggeling. Was the legislation passed after 9/11 over reactive and over prescriptive? Is that what is being suggested? Congressman Dan Lungren, Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, said the same thing at Bisnow’s Cybersecurity Summit on June 5, 2012.
Legislators are supposed to be able to assess a situation and enact only the laws that are needed. Congressmen should not scare the public into supporting legislation before it is needed on the basis that Congress might run amok if a major cyber event occurs. That is disrespectful to the many thoughtful Representatives and Senators on the Hill who would not do so, and it is a crazy justification for a law, especially when the chairman of the Senate committee has just admitted that his committee members do not have a firm understanding of U.S. businesses’ cybersecurity programs or how best practices and standards are developed and implemented.
Senator Rockefeller’s letter to the Fortune 500 CEOs does, however, give them an opportunity to flatly reject the notion of mandated cybersecurity requirements and to ask him to turn his focus toward incentives for security improvements and actions that would help deter cybercrime. This is an opportunity that should not be wasted; with one letter, CEOs could save their companies huge sums of money that will be spent annually for mandated requirements.