Prediction: New government mandates around cyber security will require businesses to reveal security breaches for full compliance, in turn sending them into a tailspin as they must find new ways to manage data around and report these attacks.
2011 showed record numbers of cyber security attacks and associated breaches with very public disclosures from Citigroup, the International Monetary Fund, RSA (The Security Division of EMC), Lockheed Martin, Google, Sony, ADP, and NASDAQ amongst the many. Government networks, critical infrastructure operators, and the private sector are facing an increasing frequency and sophistication of cyber attacks and breaches of information security -- often with discovery after the fact.
As a result, the U.S. House of Representatives’ Intelligence Panel recently approved a bill to let U.S. spy agencies share intelligence on cyber threats with defense contractors and Internet service providers and the SEC issued a memo suggesting that corporations disclose all cyber attacks, showing that continuous compliance and allocation of resources in accordance with risk posture will be even more important for many federal-regulated organizations.
But the true question is – will these guidelines be helpful or harmful in the long-term?
I believe that these actions represent much-needed progress in the fight against cyber criminals. It is a common understanding among security professionals that collaboration among the good guys to outmaneuver the bad guys is a preemptive measure that has great potential to reduce the frequency and scope of hackers’ attacks.
While it will be interesting to see how the cyber security bill will enhance the risk posture of government agencies, defense contractors, and Internet service providers, the overarching question is whether the bill is wide reaching enough. Sharing sensitive threat information becomes essential in preventing widespread attacks across different verticals and industries.
At the end of the day, we have to understand that cyber criminals are coordinating their efforts and are well-versed in sharing vulnerabilities and attack methodologies. To counter them, government and private industry have to work hand-in-hand to quickly dissipate information about threats.
What collaboration can produce has been showcased by the strengthening and unifying of all government agencies to overcome the breakdown of intelligence data exchange after the September 11 attacks. Improvements in network consolidation, intelligence integration, and cross-departmental training can be contributed to the detection and subsequent killing of al-Qaeda leader and founder Osama bin Laden.
Collaboration isn’t easy. Often, movement can only be achieved by way of mandatory obligation. Although this cyber security bill and SEC memo is a move in the right direction, a broadening of the group that information will be shared with and regulations that mandate prioritizing security in the overall picture will really move the needle. As companies evolve to shift their outlook to risk-based security, to achieve full compliance, it will result in a safer, more secure network infrastructure.
The Tech Herald welcomes 2012 related threat predictions from vendors, as long as they do not reference the end of the world and remain product neutral. All submissions are subject to editing and are due by December 20, 2011. Submissions can be delivered to [email protected] with the email subject of 2012 Predictions.