No Compliance is Good Compliance
The US Government is getting ready to pass the Cybersecurity Act of 2012.
In this 205-page bill is legislation mandating that entities deemed “critical infrastructure” meet security standards set by the government, including the Department of Homeland Security. The proposed law “is the product of three years of hearings, consultations, and negotiations,” the intent of which is to secure systems which “if commandeered or destroyed by a cyber attack, could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security.”
Like all other compliance mandates, it will fail.
Now let me first say that I am in no way anti-government (except in April), nor would I like our electrical grid, nuclear plants or water distribution facilities left exposed. However, government mandates are unlikely to solve the problem.
- Compliance Mandates are Latent – By definition, compliance regulations are developed and implemented after a threat has been identified. Add to this inherent issue the time it takes for a bureaucrat to understand and measure risk, hire analysts to author a bill and weave it’s perceived benefit into their re-election strategy, we’ve left any potential legislation years behind its need. Compliance is not timely, nor can it be.
- Compliance Mandates are Optional – For compliance requirements to be truly successful, all entities subject to regulations would be complying in some way. Unfortunately this isn’t the case, nor is it realistic. Asking the Government to audit all organizations would require armies of people and even bigger piles of money. Some regulations have introduced self-assessments to ease this burden, which has only led to inconsistency in reporting and implementation. Ever heard of anyone going to jail for HIPAA violations? Compliance is not mandatory, nor can it be.
- Compliance Mandates are Vague – Anyone who has read the HIPAA Administrative Simplification or FFIEC Guidance knows that the Government is good at telling you what to do, but not how. And honestly, they really can’t be. How could such a broad technical standard be developed for so many different organizations? It might feel a little Draconian if the Feds told you exactly what directory services to use for authentication. Add to this challenge differing interpretations, language and changes in technology. Compliance is not prescriptive, nor can it be.
Despite its good intentions, compliance does not bring security. In fact, it may be having the exact opposite effect. In a recent survey, security administrators found themselves spending between 25 and 100 percent of their time on compliance efforts, all while databreaches were increasing at their organizations.
So what’s the answer?
Let’s trade compliance for security. Rather than penalizing those that aren’t in compliance, how about rewarding those that are secure? If we took the billions that the government spends every year on HIPAA, FISMA, SSAE16, FFIEC, SEC, FIPS, DHS, TSA and the thousands of other regulatory bodies, their audits, personnel and other perfunctory functions and instead spent that on real security education for the right people, we’d be far ahead of where we are today.
If they wanted to go the extra mile, Lieberman and Company could help organizations implement metrics to tell how well they were performing against their security programs. If they wanted to get real fancy the Government could subsidize real risk assessments for organizations in “critical infrastructure”. They’d probably still have money left over for tracking terrorist hashtags on social media.
For most of us, compliance is here to stay. The question is – just how far from real security will it diverge?
Just ask TJX, Heartland or Sony.