New Cybersecurity Czar's Crazy Ideas Won't Fit In Washington

from the might-we-suggest-starting-at-the-VA? dept

Tue, Feb 20th 2007 9:46pm — Carlo Longino

CNET News.com has an interview with Greg Garcia, the new assistant secretary for cybersecurity and telecommunications in the Department of Homeland Defense -- the country's top cybersecurity official. Perhaps the most interesting part of the interview is where he discusses his plans to call on Congress to create some incentives for companies to invest in better security and training. There's a risk in creating incentives for this sort of thing, since many companies will just focus on creating solutions that comply in order to receive benefits, rather than ensuring something is actually secure. But the idea of creating incentives, or at least removing disincentives, generally makes sense -- perhaps too much sense to survive in Washington. If you consider how courts and governments respond to security breaches that expose people's personal information, it could almost be argued that companies have an incentive not to invest in better security, since they get let off the hook so easily, and when they do get in trouble, the penalties are such a slap on the wrist that it probably makes more sense just to accept them as a cost of doing business, rather than investing in security and changing procedures to avoid paying them in the future. It appears that this is what many companies do already. For instance, in the wake of the recent TJX data leak (which looks like it's the biggest credit-card leak ever), it was revealed that just 31% of retailers follow Visa's regulations on how credit-card info should be handled. But if they don't comply, and lose data, they're not the ones on the hook for fines -- the bank that processes their payments is liable -- so they hardly have any reason to follow the rules. And in any case, Visa assessed less than $5 million in fines last year, which isn't even a drop in the bucket to the banking or retail industry. The incentives in this area are badly misaligned; hopefully this new cybersecurity czar will be able to straighten them out.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

10 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Search Engines WEB, 21 Feb 2007 @ 5:32am

HIPAA and Sarbanes-Oxley
Analogies can be made to the causes for the creation of HIPAA and Sarbanes-Oxley.

Iin this current business morale climate, companies must be forced by fear to go that complicated extra mile to protect the consumer - when there is not an obvious tangible reward or immediate PR benefits.
[ link to this | view in thread ]
Evil_Bastard, 21 Feb 2007 @ 5:41am

Only the small/medium business owner is worried at this point. We've done many network/website/security assessments and it's always the little guy who is most afraid of breaking the PCI standards.
[ link to this | view in thread ]
Sherman T. Potter, 21 Feb 2007 @ 6:13am

Leaks
Aw, pony pucks!
[ link to this | view in thread ]
Overcast, 21 Feb 2007 @ 6:38am

Yeah!! Who need 'incentive' just make more senseless laws that take away people's rights!

Isn't that the 'trendy' thing to do now?
[ link to this | view in thread ]
Spork, 21 Feb 2007 @ 7:35am

Re:
Huh? Maybe I read the wrong article, but this didn't have anything to do with people's rights and everything to do with protecting your private data collected by companies during your normal business transactions. The incitive is to get businesses to actually keep a consumers info secure. If you're implying that it takes away from the business' rights, you're nuts. Standard ethnical business practice would dictate protecting your consumer's information.
[ link to this | view in thread ]
Spork, 21 Feb 2007 @ 7:38am

Re: Re:
Two things;

1) I meant "standard ethical" not "standard ethnical"
2) Completely disregard my comment if you were being sarcastic. Sometimes I miss sarcasm in type :)
[ link to this | view in thread ]
Patrick Mullen, 21 Feb 2007 @ 8:56am

I would say though that as long as the security officer of a company is the person responsible for the success and the failure of company databases, customer records and its network, companies would never solve the security issue. If security isn't the responsibility of every employee with ultimate responsibility residing in the office of CEO, then the game is already lost. What is needed is Systemic Security Management (SSM.) SSM describes an approach to security that encourages companies to make it an enterprise - wide focus, not just a functional responsibility. SSM is about the management of the "tension" points between people, process, technology and organization. The management issue is one of leadership that "does the right thing" and is not limited to the traditional confines of ROI. It is a management approach to security that goes well beyond the boundaries of the company to include not just people, process, technology and organization, but also partners, suppliers, customers and communities. SSM advocates that companies not just buy security, but also genuinely buys into security. Technology isn’t the only answer, and it can never solve the security issue. Companies need to stop jumping at the latest security vendor hype, need to stop just going out and buying the latest security “solution” and stop just reacting to the latest vulnerability. The govt. can play a part in either partnering with industry or regulating it. I think Greg Garcia is on the right track in trying to provide a carrot before he asks for the stick. Hopefully he will be successful.
[ link to this | view in thread ]
Michael, 21 Feb 2007 @ 10:25am

Re: Patrick
I agree that technology won't be the sole solution to the security problem. However, I think that without the latest technologies there is no way to stay ahead of the hackers. In addition to behavior training for employees, the software expected to use must be simple to understand. Otherwise integration into daily behavior will never occur.

Regulations like HIPAA (http://ezinearticles.com/?The-Modern-Medical-Office:--Balancing-Success,-Technology,-and-HIPAA& id=397130) are not a joke if they were to be carried out. The carrying out of the act itself in last years violations would have paid for the operating costs of the carrying out itself. Incentives should be provided but only in conjunction with following the compliance regulations.
[ link to this | view in thread ]
Anonymous Coward, 21 Feb 2007 @ 6:23pm

Those who handle sensitive personal information (should or do) have a fiduciary responsibility to protect it. Why should the government pay them to do what they already have a responsibility to do.

Here's an incentive that can work - pass a strong law and start throwing violators in jail. Making the penalties severe and certain are all the incentives that are needed or desirable.
[ link to this | view in thread ]
Charles P. Meister, 7 May 2007 @ 12:18pm

Re: Systemic Security Management
Of course, we think you are right on. We'd agree that Mr. Garcia's approach is a start. However, the best way to make security work is to make it a 'C' level initiative. The C suite will mandate SSM when they understand that it's about competitive advantage and brand survival.

We have a number of companies who 'get it' culturally. However, the majority still approach security from a technology orientation alone and are stuck in Level 1 and, thus, are highly vulnerable. So, our work continues...

Where did you learn about SSM?

Charlie Meister
Executive Director
ICIIP at USC
213-740-0980
[ link to this | view in thread ]