Capella has been designated a National Center of Academic Excellence in Information Assurance Education (CAEIAE) by the National Security Agency and the U.S. Department of Homeland Security. Capella’s information security curriculum meets the NSA Committee on National Security Systems standards 4011, 4013, 4014.
The NSA’s Information Assurance Courseware Evaluation (IACE) Review Committee has validated that Capella’s information security curriculum meets the Committee on National Security Systems (CNSS) National Standards 4011, 4013. Additional courses are needed for 4014. Learn what it means to a Capella learner.
There appears to be a debate going on on the hill as to the appropriate role the federal government should play in oversight and enforcement related to cybersecurity.
Do you think it is appropriate for the feds to audit and control what private companies do in regards to cybersecurity, in particular those private companies that make up what might be considered ‘critical US infrastructure?’
Share your thoughts.
6 Comments
I currently am responsible for developing the Energy Assurance plan for the state of North Dakota. In essence, this plan details steps the state can take to mitigate or address the effects of an energy supply disruption. From my experience in working with both private and public entities in creating this plan a number of issues have arisen related to this topic:
-States and industry are very good at handling natural disasters and their effects (outages/disruptions). When those interruptions are manmade, however, the understanding of what steps to take are less clear.
-Both entities are highly focused on restoration. In a cybersecurity event, however, restoration may need to take a backseat to forensics. Or they may have to happen simultaneously. States and private industry often do not know or understand this concern.
-Neither has the resources or expertise to address cyber security response and prosecution as it hasn’t been made a priority.
-These types of incidents quickly escalate to a federal level. A cyber security attack on a large hydroelectic power plant supplying several states would be a federal issue not a state one. More than likely the state would be asking for federal support due to lack of expertise and resources.
Given these issues I think it makes sense for the government to have some oversight in how critical infrastruture is protected from these types of attacks.
This is a pretty hairy debate. In short, yes. The government should have the right to monitor even private corporations. That said, thanks to the PATRIOT ACT, this is old news and something years ago instated. Here is how I see it, if I hire a contractor to work in my home, I have the right to question their actions in my home, even without their consent. It is my home after all and as far as I am concerned, once they ‘contractually’ agree to work in my home, they waive their consent to my monitoring.
The real issue becomes safeguarding Intellectual Property (IP), and really, in my opinion its monetary. The big picture is that our monetary system must be allowed to spin. It is by far perfect, however, it allows for a way of life that to date, here in the states is far removed from the indigenous regions of the world. It is the best we have.
The issue of “control” is a definite NO. Just off the top, many private companies are successful based on proprietary resources whose functions and uses may be confidential in nature and should remain the responsibility of said companies to protect. Just considering the amount of manpower that would be required by the Federal Government to “control” all the different private companies classified as “critical US infrastructure” is a logistical nightmare. This does not even take into consideration the varying levels of governance and controls that would be required from company to company posing even more of an unrealistic mandate where a blanket approach just doesn’t make sense.
On the other hand, a compromise could be agreed to with companies who choose to opt-in to such a program/opportunity. Whereas when considering “audit” authority given freely to the feds, the promise of incentives relating to cybersecurity would inspire attention and consideration of participation. If incentives included for example, metrics and solutions that result from a collective of cooperating organizations that share the same visions and threats, the benefits of Federal Government umbrella oversight and disciplined practices might be seen as an advantage.
Throw in some form of insurance making the feds liable for any violations of opted-in cybersecurity agreed terms and conditions, and companies might be begging to participate. Nobody likes the idea of “big brother” but if private companies can identify the benefits of such a move, they might willingly drink the kool-aid.
John,
read the PATRIOT ACT. There is no such thing as ‘opt-in’. This is a Federal ‘mandate’ until it gets repealed, will have no end in sight. If anything, stronger laws and information sharing within the agencies has been fortified since HR 3162. We can kick and scream and call it a bad dream, when in fact it has been a reality much before 9/11. I agree that consent should be a right for anyone entity to have including corporations, however, we are much past this point.
The issue is of National Security. Writing your Congressman will fall on deaf ears. Look up ‘states secret privilege’ and the NSA/ATT Wiretapping ordeal and you will get a better sense of what is happening (but not before you read the PATRIOT ACT). No need to rant about big brother, when the bigger picture is what I have mention in this post and my initial post. As for manpower? Who needs manpower when you have supercomputers and data-mining farms such as with the ECHELON program.
logos,
I don’t feed into the hype and hysteria conspiracy theorists dream-up revolving around “big brother”. I tend to lean towards verifiable evidence witnessed on my behalf. I enjoy ATS and Ancient Aliens just the same as anybody else but in all reality, they are at their core entertainment.
With respect to the Patriot Act, I am familiar. You are correct this it is a Government mandate which summed up, allows the Government to monitor the activity of entities suspected of one thing or another that could be perceived as a threat to our great nation (the USA if you are not American). Keyword being “monitor” and in this respect, the Patriot Act does not mandate what tools and methods of cybersecurity practice and procedures private corporations are required to use or implement.
The problem exists in exactly define what classifies corporations as “critical US infrastructure”. It is easy to grasp defense contractors and energy companies. But how about financial services? Wall Street in my opinion is “crucial US infrastructure.”
Manpower is a legitimate problem. Even if supercomputers and data-mining farms existed solely for the purpose of maintaining and enforcing US cybersecurity, you would still need analysts, developers, data center personnel, administrators, custodial engineers (janitors in layman speak), and etc. of equal proportion to the number of corporations being monitored and controlled. Lets not forget redundancy in this hypothetical “monster mining super mainframe of security” further adding to the required personnel.
I’m not a proponent for heavy-handed government control, especially when it comes to information security policy. I’m certain that we have all witnessed the evolution of a policy (regardless of the type) that became more and more restrictive over time until the policy was so overbearing that it became more of a detriment than a benefit. This is something I would fear would happen if the Federal Government was allowed full oversight over all businesses. Certainly, all contractors should have to comply with Federal policy, but these kinds of things can spiral out of control over time.
There is no such thing as a completely secure device. Even if it is at zero power, there is the possibility of theft, destruction, or damage. Humans error and so security breaches are always going to happen no matter how well prepared the Fed is. This could create a situation in which continued breaches result in increased restrictive measures. The ugly truth of this type of mentality is that it assumes that it can fix the problem by ratcheting up response until all incidents cease. This is simply unrealistic in the cybersecurity community.
Private organizations which do not share any direct infrastructure with the Fed should have no obligation to follow Federal mandated policy. If the organization fails to provide security, the organization will fail. This might seem a harsh statement, because in cases of massive identity theft, the ramifications can be vast and widespread. However, it is by falling down that we learn how to stand. For every organization that fails, thousands more see them as an example of what not to do. I suggest that it is a form of enterprise natural selection and to continue the evolution of security best practice and tool creation, the community should not allow itself to be shackled and bogged down any more than it is by procedure and policy. K.I.S.S.