Feds want uber cybersecurity compliance standard

Tired of regulators from three or four US federal agencies auditing your network security compliance every year? A congressional task force recommends a super-standard that would cut the number of annual audits back to just one.

If adopted, the proposal would consolidate federal cybersecurity mandates issued by disparate agencies into a single set of standards that would satisfy all of their requirements. Businesses would require a single audit that would satisfy all requirements, according to the House Republican Cybersecurity Task Force, which released its recommendations today.

WARNING: HIPAA has teeth and will bite over healthcare privacy blunders

The group notes that Sarbanes-Oxley, Health Insurance Portability and Accountability Act and Graham-Leach-Bliley all impose security requirements. "A company would be encouraged to implement stronger security standards by allowing it to save money and time by avoiding multiple audits from multiple regulators," the task force says.

The task force was set up in June by House Speaker John Boehner in part to respond to the Obama administration's proposed cybersecurity legislation, delivered to Congress in May.

Regulatory compliance has become the bane of CIOs and CISOs, sapping their budgets to the point where some say they can afford to do little else but meet the regulations to the satisfaction of auditors.

At this week's SINET Innovation Summit in Boston, on innovation in cybersecurity, one speaker, Sallie Mae CSO Jerry Archer, said his agency spent 40% of its budget on complying with regulations. "What is needed is automating compliance to reduce the bite it takes from the budget," he says.

Another speaker at the summit congratulated him on such a low percentage. "For some it's 100%," says Josh Corman, director of security intelligence at Akamai. The trouble with regulations is that they drive security architectures and prevent data loss that may have little real impact, while ignoring thefts that could be devastating.

For instance, loss of credit card numbers -- protection of which falls under the private payment card industry standards -- is painful to the card holders, but the cards can be replaced. More focus should be put on data breaches that result in the loss of critical technologies that could wipe out businesses or imperil national security, Corman says.

The congressional task force also says that the best way for government to get the big picture of cyberattacks is to have someone else do the investigation.

The task force's recommendations include setting up an organization separate from government that gathers data on cyberattacks for government as well as private groups to tap into when they need a picture of ongoing cyberactivity threatening critical infrastructure.

Government is too slow to respond to ever-changing threats in a timely manner, a problem an independent entity authorized to gather and disseminate attack details wouldn't face, the task force says. "Owners and operators know best how to protect their own systems, and it is nearly impossible for the speed of bureaucracy to keep pace with ever changing threats," its recommendations say.

The idea of distancing government from cybersecurity decisions that inherently require quick action was echoed this week at the SINET Innovation Summit. The group met to discuss how security technologies that the government needs to fight cyberattacks can be developed and rapidly deployed through quick-moving startups.

One conclusion: Partnerships could be created that pull together funding, research and development, and transition the resulting technology to products that can be developed quickly. Central to this model is limiting the role of government, says Douglas Maughan, director of the Cyber Security Division within the Science and Technology Directorate of the Department of Homeland Security.

"Keep government at a distance," Maughan told the group. "Things don't always go so well when the government's in the middle."

He cited the case of the LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) project in which DHS has collaborated with petroleum companies to address issues in that industry. One effort called the Correlation Project involved cooperation of the Department of Homeland Security and private businesses including petroleum giants BP, Chevron and Citgo. The project was coordinated through a third party, The Automation Federation.

The project came up with a correlation engine that took input from supervisory control and data acquisition (SCADA) systems as well as from corporate business networks and spit out attack warnings, Maughan says.

Other recommendations from the congressional task force call for a set of incentives that encourage businesses to do the right thing when it comes to defending their networks against cyberattacks.

Incentives such as reducing data-breach liability, tax credits, insurance breaks and tying government grants to cyber-compliance should be considered, according to the task force's report.

"We are generally skeptical of direct regulation and of government agencies grading the security of a private company, which is another form of regulation. Threats and practices change so quickly that government-imposed standards cannot keep up," the report says.

Instead, Congress should adopt voluntary incentives to encourage better security measures being adopted by private businesses that control critical infrastructure such as power grids, water supplies and fuel supplies. Other businesses would be free to adopt the same standards, the task force says.

Congress should consider extending or expanding tax credits such as the current research and development credit, so it includes cyber-upgrades, the report says.

When doling out grants to businesses, Congress could require compliance with minimum cybersecurity protection standards if the grants pertain to national security, law enforcement and critical infrastructure, the task force recommends. "These would include general protection standards such as updating computer patches or running anti-virus software that would not be overly burdensome to grant recipients," the report says.

Congress should look into whether insurance companies could encourage better cybersecurity among policy holders. The task force didn't seem to know how insurance companies handle this, but recommended finding out.

While generally opposed to mandates, the task force said further regulation may be warranted in cases of industries that control critical infrastructure, but it wants to keep new requirements light. "Any additional regulation should consider the burden on the private sector by requiring agencies to conduct a thorough cost/benefit analysis," the task force report says.

Businesses directly involved in these critical areas should contribute to developing these additional standards, the report says. In addition, if businesses comply and are breached anyway, their liability should be reduced by virtue of compliance.

The task force recommends investigating whether it makes sense for businesses to report more cyber-incidents than they are required to under current laws. So rather than just reporting incidents in which personally identifiable information such as credit card numbers are stolen, they might also have to report when intellectual property was stolen. The goal would be "to improve both law enforcement response and protection of critical infrastructure."

Read more about wide area network in Network World's Wide Area Network section.