No Compliance is Good Compliance

The US Government is getting ready to pass the Cybersecurity Act of 2012.

In this 205-page bill is legislation mandating that entities deemed “critical infrastructure” meet security standards set by the government, including the Department of Homeland Security. The proposed law “is the product of three years of hearings, consultations, and  negotiations,” the intent of which is to secure systems which “if commandeered or destroyed by a cyber attack, could cause mass deaths,  evacuations, disruptions to life-sustaining services, or catastrophic damage to  the economy or national security.”

Like all other compliance mandates, it will fail.

Now let me first say that I am in no way anti-government (except in April), nor would I like our electrical grid, nuclear plants or water distribution facilities left exposed. However, government mandates are unlikely to solve the problem.

Why?

1. Compliance Mandates are Latent – By definition, compliance regulations are developed and implemented after a threat has been identified. Add to this inherent issue the time it takes for a bureaucrat to understand and measure risk, hire analysts to author a bill and weave it’s perceived benefit into their re-election strategy, we’ve left any potential legislation years behind its need. Compliance is not timely, nor can it be.
2. Compliance Mandates are Optional – For compliance requirements to be truly successful, all entities subject to regulations would be complying in some way. Unfortunately this isn’t the case, nor is it realistic. Asking the Government to audit all organizations would require armies of people and even bigger piles of money. Some regulations have introduced self-assessments to ease this burden, which has only led to inconsistency in reporting and implementation. Ever heard of anyone going to jail for HIPAA violations? Compliance is not mandatory, nor can it be.
3. Compliance Mandates are Vague – Anyone who has read the HIPAA Administrative Simplification or FFIEC Guidance knows that the Government is good at telling you what to do, but not how. And honestly, they really can’t be. How could such a broad technical standard be developed for so many different organizations? It might feel a little Draconian if the Feds told you exactly what directory services to use for authentication. Add to this challenge differing interpretations, language and changes in technology. Compliance is not prescriptive, nor can it be.

Despite its good intentions, compliance does not bring security. In fact, it may be having the exact opposite effect. In a recent survey, security administrators found themselves spending  between 25 and 100 percent of their time on compliance efforts, all while databreaches were increasing at their organizations.

So what’s the answer?

Let’s trade compliance for security. Rather than penalizing those that aren’t in compliance, how about rewarding those that are secure? If we took the billions that the government spends every year on HIPAA, FISMA, SSAE16, FFIEC, SEC, FIPS, DHS, TSA and the thousands of other regulatory bodies, their audits, personnel and other perfunctory functions and instead spent that on real security education for the right people, we’d be far ahead of where we are today.

If they wanted to go the extra mile, Lieberman and Company could help organizations implement metrics to tell how well they were performing against their security programs. If they wanted to get real fancy the Government could subsidize real risk assessments for organizations in “critical infrastructure”. They’d probably still have money left over for tracking terrorist hashtags on social media.

For most of us, compliance is here to stay. The question is – just how far from real security will it diverge?

Just ask TJX, Heartland or Sony.

Tales From the (Unen)Crypt

Yesterday I was waiting in the lobby of one of our larger clients as I had arrived a bit early for a meeting. I was doing something really useful on my BlackBerry to kill time when a thirty-something year-old woman walked in and approached the receptionist. To protect the not-so-innocent, we’ll refer to her as Jane.

What I’m about to tell you is a true story.

Jane: “Hi, I’m here to see [name deleted] but I think I may be in the wrong building.”

Receptionist: “OK, where do you think you’re supposed to be?”

Jane: “Hold on let me call my office and I’ll find out.”

Jane now steps away from the receptionist desk, pulls her mobile phone from her purse and immediately begins dialing her office for information. She reaches someone who appears to be her assistant, given the following conversation. We’ll make some assumptions about the Assistant’s dialogue.

Jane: “Hi [name deleted] can you do me a favor? I need you to access my calendar to see where my meeting is this morning, I think I’m in the wrong building.”

Assistant: “No problem Jane! How do I get access to your calendar?”

Jane: “My password is ‘Password1’ with a capital ‘P’. Yeah I know it sucks.”

Assistant: “OK well I can’t get to your calendar from my PC.”

Jane: “Yeah you can use my PC, I never lock it.”

Cue Quentin Tarantino soundtrack, an ultra-closeup of highly polished men’s dress shoes as they one-by-one, shuffle towards a thirty-something woman in a black suit, the staccato click of their heels shattering the deafening silence now engulfing the steel and glass lobby, cut to a super-tight shot in slow-motion of a GreyCastle Security business card being drawn from inside suit pocket –

“Hey Reg! Sorry I’m late.”

As I’m snapped from that dreamscape carved straight from a Hollywood set, I realize that we can’t save everyone, and not everyone wants to be saved.

I hope Jane made it to her meeting on time. I hope she changed her password when she got back to the office and has started locking her PC. And her phone. I hope the title on her business card doesn’t say Comptroller. I hope Jane doesn’t have to learn the hard way that just a little bit of security can go a long way.

I hope.