Cybersecurity didn't get much attention during the 2012 election season -- neither President Barack Obama nor challenger Mitt Romney mentioned the issue once during the presidential debates. But with election fervor dying down and rumors of Iranian cyberattacks
There's nothing in place right now that allows everyone to act in conformity with one another, and that's problematic.
Ian N. Friedman,
professor of computers and criminal law, Cleveland-Marshall College of Law
And not a moment too soon, experts say.
"The data that is stored today is very valuable, and like any crime, people are going to go after something that has value, that they can make money from," said Ian N. Friedman, an adjunct professor of computers and criminal law at Cleveland-Marshall College of Law in Cleveland. "I think this is going to be one of the greatest dangers to the United States in the decades to come if we don't get ahead of it right now."
On Nov. 14, the Senate turned down another attempt at passing the Cybersecurity Act, but proponents promise the debate will continue in January. President Obama is also reportedly considering an executive order that would guide federal agency response to a U.S. cybersecurity threat.
One big concern, Friedman said, is the lack of uniform, consistent measures across governmental agencies when it comes to software, hardware and cybersecurity training. "There's nothing in place right now that allows everyone to act in conformity with one another, and that's problematic," he said. "Also, when you are dealing with the government and other important agencies that work with the government with their own valuable cyberdata, you've got contractors that are not adequately protected."
Under the proposed Cybersecurity Act, companies that operate critical infrastructure would be required to increase their network security. The act would also ease cyberthreat information-sharing among these companies' networks and the government.
While both sides of the debate agreed with these cybersecurity measures, opponents said it would put too great a regulatory burden on private-sector infrastructure operators.
With so much of the critical infrastructure run by private companies, it's difficult to protect national interests, said Mike Lloyd, chief technology officer at security management firm RedSeal Networks Inc. These competitive, profit-driven companies often put security on the back burner, he said. "If your market competitor outpaces or underspends and takes imprudent risks, you have a nightmarish choice: Do you take risks too, or do you play it safe and lose market share in the hopes there will be a major incident for your competitor and not for you?" he added.
When infrastructure is managed privately, the government should use regulation to create a level playing field for these companies, Lloyd said. "Help enforce industry-accepted standards consistently, so that competition can work effectively without allowing companies to take unwarranted risks with the personal information, the wealth or, in some cases, the lives of citizens," he said.
Cybersecurity compliance measures
Is one sweeping piece of U.S. cybersecurity legislation the answer? It could be, Cleveland-Marshall's Friedman said, but the law would have to be comprehensive, with mandatory rather than incentive-based compliance rules. "Right now, it's basically leaving it up to those who want to comply, and I think there have to be penalties for people that don't follow the policies and procedures," he said.
Friedman suggests that companies handling any sort of sensitive data should be certified and recertified periodically. Having this requirement -- and the penalties for noncompliance -- built into a cybersecurity law holds companies accountable, he said. "There has to be some kind of accountability so that if business owners or the heads of these governmental agencies are not keeping us safe, there is going to be some sort of consequence," he said. "Right now, there's not any."
More on U.S. cybersecurity
Video: Cybersecurity strategy increasingly the users' responsibility
The regulatory influence on cybersecurity policy
Any piece of cybersecurity legislation requires keeping pace with potential attackers, RedSeal Networks' Lloyd said. Hackers often use automation to find weak spots in defenses, so continuous monitoring is necessary to find these weak spots before attackers can. Requiring this automated analysis can cost effectively enable businesses to understand their risk posture as conditions change, he said. "Legislation focused on audit paperwork will be counterproductive, adding bureaucracy," he added. "But if the focus is on automation of risk assessment, the regulated industry sectors can actually gain an advantage."
Finding this balance between good business and U.S. cybersecurity efforts will be necessary for any piece of legislation to move forward. Although the Senate ultimately voted against the latest Cybersecurity Act, the group came very close to reaching a compromise.
Cybersecurity bill proponents say the two sides need to come to terms -- and quickly -- to protect the U.S. from increasing threats. "It is disappointing that senators haven't yet been able to reach an agreement on cybersecurity legislation, but stalemate doesn't make the issue go away," said Robert Holleyman, president and CEO of the Business Software Alliance, in a statement following last week's Senate vote. "There is no getting around the fact that we need to bolster America's cybersecurity capabilities."