Ready? Secure? Disclose

Are you ready to declare your company secure against attacks from cyberterrorists?

If you’re not, get moving. The odds are increasing that in the not-so-distant future, legislators will make corporate America adhere to yet-to-be-defined best practices in cybersecurity.

Just as the Sarbanes-Oxley Act of 2002 is designed to assure investors that corporate financial records are properly prepared and accurate, and the Health Insurance Portability and Accountability Act mandates procedures for maintaining and exchanging medical information, the processes used to secure data and computing resources may face compliance legislation.

Rep. Adam Putnam (R-Fla.) last fall drafted the Corporate Information Security Accountability Act of 2003, which would require companies to secure their information systems. The bill has not gone before the House of Representatives, but the proposals in Putnam’s draft as well as other recommendations are being batted about in a working group created by the subcommittee Putnam chairs, the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

In the name of protecting national infrastructure, you may be asked to conduct annual security audits, produce an inventory of key assets and their vulnerabilities, carry cybersecurity insurance and have your security measures verified by independent third parties, if the core features of the proposed legislation make it to the floor of the House.

The work is proceeding. In April, the working group submitted 23 suggestions to the subcommittee, including a provision to shield companies from large, punitive lawsuits over security breaches.

What’s at stake, in Putnam’s view, is domestic security. Not only could terrorists take down your systems, they could also use your computing resources to attack federal, state and local computer networks.

Putnam’s subcommittee resides under the Committee on Government Reform, headed by Rep. Tom Davis (R-Va.), who sponsored the Federal Information Security Management Act of 2002 (FISMA), which requires federal agencies to identify information security risks and fix problem areas.

Putnam’s staff is evaluating the proposals and will kick them back to the working group, which includes representatives of 22 trade associations such as the National Association of Manufacturers (NAM), the Business Software Alliance and the U.S. Chamber of Commerce.

No timeline has been set on when legislation could reach the House floor, but Chrisan Herrod, a professor at the National Defense University, a joint military-educational facility, says she doesn’t expect Putnam to push a bill before the November elections. Putnam’s timeline is “short,” but he doesn’t define it. Meanwhile, groups such as the Information System Security Association (ISSA) are creating best-practices guidelines in the hope companies will adopt them out of self-interest.

But, if they don’t, “we reserve our right to legislate,” says Bob Dix, staff director of Putnam’s subcommittee. “What did it take to get corporate America motivated about Y2K? It took a Securities and Exchange Commission requirement to include a readiness statement in the annual report.”

Herrod, along with security experts such as Darwin John, the former chief information officer of the Federal Bureau of Investigation, see more regulation as inevitable. Why? Corporations aren’t going to voluntarily revamp security systems when the returns on investment are murky.

At Fannie Mae, Herrod helped ensure that the mortgage company matched its business partners’ compliance with the Gramm-Leach-Bliley Act of 1999, which requires financial data privacy. At GlaxoSmithKline, her projects revolved around compliance with Food and Drug Administration rules. “The only reason I got any money to implement was regulation,” Herrod says.

Putnam’s effort is the latest to beef up the nation’s cybersecurity. President Clinton issued a directive on information security in 1998, outlining basic requirements such as antivirus protection and authentification. President Bush later urged a public-private partnership to secure the Internet. That plan, penned in 2003 by Richard Clarke, former special advisor to the president for cyberspace security, has had little impact so far.

Meanwhile, cybersecurity gets worse. In the last six weeks, source code from Cisco Systems was leaked on the Internet, the Sasser worm wreaked havoc on corporate systems and Gartner reported that consumers lost $1.2 billion in 2003 due to “phishing attacks.”

Despite the lack of success from the government’s previous plans, security experts are taking Putnam’s legislation push seriously because Congress was able to pass FISMA two years ago. Why not expand a cybersecurity edict to the private sector?

Clarke says he doesn’t favor more regulation to govern cybersecurity, but would like current mandates to be more specific. He also advocates a series of steps—avoid software vendors with insecure applications, require two-factor authentication, benchmark the security of applications, diversify software vendors, and so on—that the public and private sectors can take.

In any case, the clock is ticking. Recent cyber-attacks will only get worse unless the public and private sectors collectively beef up information security. One problem: Companies don’t consider their networks part of the national infrastructure. Since all networks are interconnected, executives need to realize their networks could become a staging area for a cyberterrorism attack.

“What we see today is the tip of the iceberg of what could happen,” says Clarke.

So what can you do today to get ahead of cybersecurity regulation?

For starters, you can track developments from Putnam’s subcommittee (http://reform.house.gov/TIPRC/). The draft’s key provisions would require companies to:

  • Perform a security audit to assess the risk of unauthorized access, disruption, modification and destruction of information and information systems.

  • Investigate cyber-risk insurance. Putnam says the insurance industry should cut prices for companies that meet best practices.

  • Take an inventory of critical assets such as routers, servers and areas where there’s easy access to networks. Herron says inventory is the most underrated security chore.

  • Develop risk mitigation, incident response and business continuity plans, and test these procedures quarterly to annually, depending on best practices.

  • Submit to an information security audit by an independent third party.

    Four of these five practices are considered by security experts to be no-brainers. The final one—an information security audit—could be stickier. For starters, it’s unclear whether a newly created or existing agency would oversee the audits. Putnam’s draft puts information security verification under the SEC, but analysts such as Forrester Research’s Michael Rasmussen say such monitoring is “out of scope” for the agency.

    According to David Peyton, director of technology policy for NAM, the biggest issue facing any cybersecurity law is the lack of best practices. “Computer security audits are 80 to 90 years behind financial audits,” Peyton says.

    If executives don’t get involved soon, they could wind up adhering to standards set by Beltway regulators who didn’t get input from the managers who implement information security procedures, according to Herrod.

    “What’s scary about this is the people driving don’t have business user input,” she says. “I don’t think it’s thoroughly thought out—not that Putnam isn’t right.”

    The lack of user input is not surprising given the reaction from executives contacted by Baseline. Most had never heard of Putnam or his working group. However, executives don’t doubt that cybersecurity regulation is on the way.

    David Womeldorf, chief technology officer of beverage equipment parts distributor Bevcore Solutions in Osseo, Minn., says he is comfortable with having security practices verified by a third party. Womeldorf supports offering the public a “fairness statement,” that as in the accounting world, affirms proper practices are in place.

    While it’s still early, security experts like John, now a principal at Blackwell Consulting, are convinced companies are going to face more information security regulation from legislators like Putnam: “This is a train going someplace, and it’s understandable that someone wants to lead it.”

    Tom Steinert-Threlkeld contributed to this report.

    How You Can Beef Up Cybersecurity

  • Put someone in charge.

    Make one executive, a chief security officer or another high-level manager, accountable.

  • Create policies.

    Develop clear policies and procedures governing security—and how you share data.

  • Enforce those policies.

    Have the executive in charge ensure compliance through regular audits.

  • Benchmark yourself.

    Identify the most secure part of your company—and set that as the standard.