Standardizing Cybersecurity Regulations Proves Difficult

Disir

Platinum Member
Sep 30, 2011
28,003
9,605
910
The spate of recent ransomware attacks on federal contractors and operators of critical infrastructure, culminating in the attack on Colonial Pipeline in May, has built momentum for new federal laws and regulations to require disclosure of breaches as well as mandatory cybersecurity standards.

But writing such laws and regulations in a timely manner and ensuring they are finely tailored is likely to pose a challenge involving multiple federal agencies, Congress and the new national cyber director.

In the aftermath of several high-profile cyberattacks, “I do think you’re seeing some recognition that business as usual and the status quo just isn’t going to cut it,” said Frank Cilluffo, director of Auburn University’s Charles D. McCrary Institute for Cyber and Critical Infrastructure Security and a member of the congressional Cyberspace Solarium Commission.

That looks like it's going to be a lot like herding cats. Simply getting to an agreement on standards is going to be tough.
 
We need systems with a physical "key" to do administrative tasks.
Like a car with "remote start", it can be hacked and stolen.
But w/o remote start, a physical key is required.
We need to get really secure.
 
We need systems with a physical "key" to do administrative tasks.
Like a car with "remote start", it can be hacked and stolen.
But w/o remote start, a physical key is required.
We need to get really secure.
That’s called multifactor authentication and it’s being widely implemented, in fact it’s right there in the OP (the article in the OP refers to it as "two-factor authentication" which is a sub-set of multifactor).
 
Last edited:
The spate of recent ransomware attacks on federal contractors and operators of critical infrastructure, culminating in the attack on Colonial Pipeline in May, has built momentum for new federal laws and regulations to require disclosure of breaches as well as mandatory cybersecurity standards.

But writing such laws and regulations in a timely manner and ensuring they are finely tailored is likely to pose a challenge involving multiple federal agencies, Congress and the new national cyber director.

In the aftermath of several high-profile cyberattacks, “I do think you’re seeing some recognition that business as usual and the status quo just isn’t going to cut it,” said Frank Cilluffo, director of Auburn University’s Charles D. McCrary Institute for Cyber and Critical Infrastructure Security and a member of the congressional Cyberspace Solarium Commission.

That looks like it's going to be a lot like herding cats. Simply getting to an agreement on standards is going to be tough.
We already have a variety of very solid independent standards for cybersecurity (e.g. NIST, CIS, PCI, ISO/27001-2, COBIT, ISO/IEC 15408), we don't need the Federal Bureaucracy developing a new one, that will, as the article points out most likely fall out of date. What companies need from the Federal Government are RESOURCES and GUIDANCE to assist them in implementing the ones that exist and maintaining security as threats evolve.

The primary issue is that many companies lack the expertise to implement systems, processes, policies, procedures, and TRAINING to achieve effective defenses, not to mention the sufficient resources (human and capital). In larger companies this can be challenging since many legacy systems were designed and built in times where system security took a back seat to functionality, performance and reliability thus ended up being riddled with vulnerabilities at production release. Systems like these are extremely difficult to secure, since you're talking about years of spaghetti code that's been maintained by different developers, which often means they need to be completely scrapped and replaced, not easy for large business critical systems.

You also have to deal with the problem of user resistance, adding security measures is often viewed as making systems less convenient to use, thus leading to users doing whatever they can to go around them. Worse still is that your user base must be TRAINED in good cybersecurity practices, otherwise they end up as being primary vectors for breaches. In other words, your own human resources are often working against you.

I could go on and on for this subject (even more than I already have) but the bottom line is that I think that regulations aren't the way to go here, it's LEADERSHIP and COOPERATIVE EFFORT that are needed.
 
We have a lot of cyber security standards already. You can have all the standards in the world, it means nothing if you have incompetent people running the systems. Less affirmative action hires and more hiring people based off skill and experience.
 

Forum List

Back
Top