Torsten George (US) - Addressing Cyber Security Threats in the United States and Europe

2011 has seen record numbers of cyber security attacks and associated breaches with very public disclosures from Citigroup, the International Monetary Fund, RSA (The Security Division of EMC), Lockheed Martin, Google, Sony, ADP, and NASDAQ amongst the many. These attacks are just the tip of the iceberg. Government networks, critical infrastructure operators, and the private sector are facing an increasing frequency and sophistication of cyber attacks and breaches of information security -- often with discovery after the fact. The overarching question is whether government regulations are a sufficient measure to overcome the chasm between compliance and security.

Up to this point, both the United States and Europe took a consumer-focused approach to addressing cyber security threats, mandating the disclosure of only those data breaches that may affect consumers and their personally identifiable information. California's "right to know" disclosure law (SB1386), which was copied by other U.S. states, as well as the European Union's data privacy requirements and its e-Privacy Directive (2009/136/EC) are good examples of regulations that impose disclosure requirements only in certain circumstances. Other security incidents only became public knowledge because of unofficial disclosures or because of their effect on the consumer (e.g. a denial of service attack).

This approach to cyber security threat disclosure is based on the premise that data security and the responsible stewardship of personal information should be driven by consumer protection, not solely by government intervention or mandates. In theory, organizations that fail to protect against data breaches will ultimately suffer as consumers seek better security through their competitors.

However, recent legislative initiatives in the United States are diverting from the original approach and it seems inevitable that some level of mandated disclosure of all incidents that pose a risk to an organization will emerge at a national level.  On October 13, 2011, the Securities and Exchange Commission (SEC) Division of Corporation Finance released a guidance document that outlines disclosure practices for public companies in light of the most recent spike in cyber security attacks and associated data breaches. The guidance document hints that companies have to be paying more attention to assessing the impact of cyber security attacks and its outcome; especially as it relates to weaknesses in the security posture and preventive measures of the organization.

While you can argue that mandating specific standards to address cyber security threats is a good way to provide an incentive to finally invest in implementing security best practices, it does not necessarily guarantee a reduction in data breaches. Opponents of this approach argue that by treating companies as offenders, and not as the victims they are, the government risks encouraging organizations to continue putting compliance first, not security. Unfortunately, being compliant does not equate to being secure, as compliance lacks the correlation to risk and is conducted periodically, rather than continuously. Thus, only regulations that mandate prioritizing security in the overall picture will really move the needle.

The degradation of core security capabilities as described in The 2012 Global State of Information Security Survey® is illustrated by the fact that organizations’ vulnerability measures are unable to keep up with the evolving exploits, including perimeter intrusion detection, signature-based malware, and anti-virus solutions. This is another indicator that an approach of stricter government regulations is not the Holy Grail to counter cyber security threats.

Similar to Europe, where the private industry and government agencies share threat information, the United States must realize that that collaboration among the good guys to outmaneuver the bad guys is a preemptive measure that has great potential to reduce the frequency and scope of hackers’ attacks.

The sharing of sensitive threat information is essential to preventing a widespread attack across different verticals and industries. At the end of the day, we have to understand that cyber criminals are coordinating their efforts and are well versed in sharing vulnerabilities and attack methodologies. To counter them, government and private industry have to work hand-in-hand to quickly dissipate information about threats. The positive outcomes of collaboration was clearly showcased by the strengthening and unifying of all U.S. government agencies to overcome the break-down of intelligence data exchange after the  9/11 attacks. Improvements in network consolidation, intelligence integration, and cross-departmental training can be contributed to the detection and subsequent killing of al-Qaeda leader and founder Osama bin Laden.

By following Europe’s lead, the United States can reorganize its policies to emphasize cooperation and transparency across private industry and the Federal government.

By Torsten George, Vice President worldwide of Agiliance


« Santosh Anchan (India) - Expedite Wireless Broadband Rollout with Optimal TCO


Douglas Cohen (South Africa) - The IT Skills Gap is Everyone's Business (Part 1) »


Do you think your smartphone is making you a workaholic?