The CIA breach/Wikileaks dump is yet another example of the government’s lackluster approach to security. After all, the CIA is not the first government agency to suffer a breach. It needs to get in line behind the State Department, the Office of Personnel Management, the IRS, and so on.
So the results of a Tripwire survey at RSA found that only 17 percent of security pros believe the government is able to protect itself from cyberattacks. Security professionals are also concerned about the rise in nation-state attacks and have called for a “Digital Geneva Convention” to address the problem.
Perhaps not surprisingly, those surveyed are much more confident in their own organization’s ability to tackle security concerns. Even so, as David Meltzer, chief technology officer at Tripwire, stated:
People and organizations alike look to the government to set an example and lead the way on all sorts of issues, including cybersecurity. What the results of this survey show is that seasoned cybersecurity professionals are not confident in the government’s current cybersecurity strategy, and these worries can trickle down to the list of concerns for an enterprise.
The federal government has been dragging its feet when it comes to cybersecurity, and it hasn’t improved with the administration change. President Trump was scheduled to sign an Executive Order, but it’s been delayed. And as TechTarget explained, no one is sure how effective the directive, which would require security audits, would be.
At this point, I’m not confident in the federal government’s ability to successfully address cybersecurity. While agencies may need to work independently when it comes to improving their security posture, overall, would we be better off if this issue trickled down to the states?
On March 1, regulations went into effect in New York that require financial institutions to meet a minimum level of cybersecurity standards. According to Reuters:
The new rules call for banks and insurers to scrutinize security at third-party vendors that provide them goods and services. In 2015, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.
The new regulations also call for institutions to perform risk assessments in order to create the right security system for their needs. It’s a start – the state has recognized the need for someone to step up and enforce security standards. But as Ed Adshead-Grant, general manager of payments with Bottomline Technologies, told me in an email comment, there are ways for the regulations to improve:
In its current form, the cybersecurity regulation proposed by New York State for banks and insurers is missing the mark, as it fails to address one key consideration: open banking. With the adoption of the PSD2 regulation in Europe, we’re already seeing financial institutions across the pond implementing new technologies like open APIs, and it’s clear that the trend will come to the U.S. as well. The introduction of these technologies will give way to new security threats, requiring banks and insurers to implement real-time monitoring systems to identify and flag suspicious activity. While the proposed regulation’s requirement of multi-factor authentication is a solid step toward heightening security, that alone will not solve security problems if auditors are not watching how users – both internally and externally – are behaving in real time.
But it is something. I don’t think cybersecurity can really be limited to states – too many variables are at stake – but as we’ve seen in other types of legislation, once states begin to lead, the federal government tends to follow. I certainly hope that is the case now.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba