Internet Security Alliance President Larry Clinton joined several other prominent information security advocates to provide testimony before the Senate Judiciary Subcommittee on Terrorism and Homeland Security Tuesday.
Entitled Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace, the hearings are one of several held this year by various Senate and House committees who over see everything from commerce to defense, as the nation struggles to gain insight into mounting cyber security threats, and how best to craft policies to combat them.
Clinton’s testimony focused on the fact that information security in not merely an IT problem, but is in fact central to both economic stability and national security.
“First, the President is correct in his appreciation of the need to view cyber security as not just a technical and security issue, but as an economic one as well. In the 21st century - the digital century - economics and security are opposite sides of the same coin. You cannot affect one without impacting the other,” Clinton stated.
The rapid pace of technology and security upgrades is overwhelming corporate budgets, and many are forced to make decisions about their information security based on the bottom line, not best practices.
Where federal regulation does exist, such as in the payment card industry and healthcare field, issues abound regarding the high cost of regulatory compliance, and whether regulatory compliance is actually a path to security.
Clinton and the ISAlliance favor a proactive market solution.
“Federally-imposed mandates on the broad private sector will not work and will be seriously counterproductive to both our economic security and our national security,” Clinton testified.
“The Administration’s Cyber Space Policy Review takes the right approach in advocating for the development of additional economic incentives, including procurement incentives, liability incentives, and even tax incentives, to promote cyber security.”
Clinton argues that regulation is really only enforceable on a national level, while most of the problems that pervade the internet are global in nature.
The implementation of additional federal regulations will only increase security costs, put American businesses at an economic disadvantage with their foreign competitors, and actually do little to improve information security.
The ISAlliance is within weeks of releasing their much anticipated follow up to The Cyber Secuirty Social Contract: Policy Recommendations for the Obama Administration and 111th Congress released in 2008, which offered insight into the nature of the internet and how this singularly unique entity requires a unique approach to its security.
“December 3, we will be releasing a new publication entitled, Implementing the Obama Cyber Security Strategy via the Social Contract Model,” announced Clinton.
“This new document will detail specific steps to move from broad policy principles, where we find broad agreement, to implementation, and it will cover issues such as:”
- Securing the global IT supply chain
- Developing a new information sharing model generating actionableinformation for the broad range of the private sector
- Aligning and managing the legal incongruities created by modern technologies and outdated legal structures
- Creating both a market and incentives to promote proven effective cyber security standards/practices and technologies
- Creating an enterprise education program to enable modern corporations to properly appreciate and manage financial cyber risk
- Addressing the critical cyber security issues facing higher education
- Developing automated security standards for unified communications platforms such as VOIP
Clinton and the ISAlliance maintain that there should be enough motivation in simple self-preservation for corporations to take additional measures to protect sensitive and proprietary data, but there are just not enough economic incentives to get them to act.
There is always a catch-22 aspect to security, in that the better the security, the harder it is to articulate the need for additional measures.
Everyone sees the need after there is a catastrophic security event.
“We need to have corporations, who own and operate the vast majority of the Internet, to perceive that it is in their own self interest to continually improve not only their own security, but also the security of everyone else with which they interact,” Clinton added.
But the absence of any perceived imminent threats, while in the midst of a recession, results in companies continuing to push security and infrastructure spending down the road, and the primary reason is budgetary.
“As PricewaterhouseCoopers’ 2009 Global Information Security Study documents,” Clinton stated in testimony, “economic considerations are actually one of the most important considerations in determining corporate information security spending decisions, and these considerations rate higher than regulatory compliance, company reputation or internal policy compliance, and nearly as high as the number one issue, business continuity/disaster recovery.”
The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues, and is a nonprofit organization.
The ISAlliance represents corporate security interests before legislators and regulators.
In so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.
Watch all the testimony in a webcast HERE