IT Security And The Law

As security-conscious lawmakers look for ways to safeguard U.S. citizens, institutions, and facilities amid threats at home and abroad, they're turning more attention to the IT systems and networks that keep businesses running. The lawmakers are concerned that cyberterrorists-with agendas more sinister than other hackers-could disrupt an already-faltering economy or gain access to sensitive systems. But not everyone's sure that improved cybersecurity would result from increased federal involvement.

A House subcommittee began looking this month at how the private sector and the government might work together to combat cyberthreats. One House proposal echoed the Critical Infrastructure Information Securities Act, legislation introduced in the Senate in September by Robert Bennett, R-Utah, and Jon Kyl, R-Ariz., that aims to thwart attacks launched by cyberterrorists or other hackers-particularly those targeting the networks of key banking, energy, finance, human-services, telecom, and transportation companies.

Expected to be debated after the holiday recess, the proposed legislation seeks to promote voluntary, two-way data sharing about security threats between the federal government and private industry in an effort to analyze patterns of attacks and identify trends. The act would provide clear assurance under federal law that the information companies reveal about security breaches wouldn't be disclosed to the public under the Freedom of Information Act. "If information comes to the government for analysis, and then under the Freedom of Information Act the government reveals that to the terrorists, that's not too smart," Bennett said in October at a conference hosted by the Center for Strategic and International Studies. Instead, he said, "the government will do its analysis and then share that, and you'll begin to get the kind of strategic view that we're talking about."

Bennett also said that the Securities and Exchange Commission should adopt rules requiring public companies to disclose their readiness to meet cyberthreats. Bennett, the former chairman of the Senate Special Committee on the Year 2000 Technology Problem and a member of the GOP High Tech Task Force and the Senate's International Security subcommittee, said he has encouraged new SEC chairman Harvey Pitt to reflect on the favorable results of SEC-imposed Y2K remediation disclosure requirements. "If you adopt the fail-and-then-fix notion with respect to cyberterrorism, you're going to have much higher costs overall than if you establish the security up front," Bennett said.

There's no time to waste in implementing procedures to combat new security threats, says Richard Clarke, special adviser to the president for cyberspace security. "The biggest challenge is to persuade people in and out of the IT industry to assume that the problems they've seen to date aren't a good indicator of what they'll see in the future," he says.

Federal law-enforcement agencies warned businesses in October to be on an increased state of alert for cyberattacks (see "IT On High Alert," Oct. 15, p. 22; informationweek.com/859/alert.htm). The potential for damage was illustrated recently in Queensland, Australia, when a disgruntled job applicant hacked into a local district's computerized waste-management system and programmed it to release millions of gallons of raw sewage into local parks, rivers, and the grounds of a hotel. The government had to foot the costly cleanup bill.

But not everyone is convinced that sharing data with the federal government will reduce risk. "This gives me reason to pause," says John Hartmann, VP of security in corporate services at Cardinal Health Inc., a Dublin, Ohio, provider of products and services to the health-care industry. Hartmann points out that companies already voluntarily exchange security incident and vulnerability data with Infragard, a partnership among businesses, the FBI, various government agencies, and academic institutions; with the Information Technology Sharing and Analysis Center, an alliance formed by 19 top tech vendors; with similar groups in the electrical, banking, oil and gas, and telecom industries; and with CERT CC, a government-funded security watch group.

Hartmann wants clearer definitions of infrastructure and security standards the government itself will maintain. "You need to be concerned with whom you're sharing that information and who may have access to it," he says. "I'm not going to volunteer information to sit in their database and offer another risk point." The Senate bill acknowledges that the federal government's framework for critical infrastructure information sharing and analysis isn't sufficiently developed.

Some say Hartmann is right to be concerned. "The government hasn't proven its ability to protect its own information," says Gartner security analyst John Pescatore. This month, a House panel gave the government failing grades for its ability to protect federal computer systems from hackers and terrorists-a drop from the "D" it scored in September 2000.

Some observers support SEC-mandated disclosure on cybersecurity readiness. Companies will be more likely to invest in improved security if they have to disclose their efforts, says Bruce Schneier, founder and chief technology officer at security consulting firm Counterpane Internet Security Inc. "That was the thinking behind the Y2K disclosure law. Secrecy is bad for security."

SEC reporting requirements would "create a 'shame' factor as stockholders read what management has or hasn't done to reduce risk," says Jim Lewis, senior fellow and director of technology policy at the Center for Strategic and International Studies, which helps develop national and international public policy.

Not surprisingly, security vendors are receptive to the idea. Jeff Papows, former CEO of Lotus Development Corp. and now CEO of ZixIt Corp., an E-mail encryption services firm, says federal involvement would prompt companies to be more proactive in addressing threats to electronic communications outside the firewall. "Your average IT professional harbors the impression that he's using a secure and advanced communication mode," Papows says. "We haven't realized that today a healthy percentage of our electronic communications aren't within the confines of our corporations."

But the idea of having the SEC track cybersecurity isn't foolproof. Any rules wouldn't affect privately held companies, so businesses could still be vulnerable when collaborating with such partners.

John Nallin, VP of information services at logistics company United Parcel Service Inc., is open to some of the proposals being floated. "The more eyes I have to help me keep our systems secure, the better." But, he says, the prospect of a government-mandated set of security standards-if that's the direction the SEC moves-for all industries and all processes is unrealistic. "EDI has been around for 25 years, and there's still debate about standards there," he notes.

Cardinal Health's Hartmann adds that the speed with which new threats and security enhancements arrive makes compliance of any kind tricky. "It's too fluid an environment," he says. "When anything changes-anything at all-your security environment changes."

There's also the worry that forcing companies to disclose their cybersecurity status could do more harm than good. Allen Paller, research director at the SANS Institute, an IT security research and education group, says companies that disclose that information may become targets of hackers looking for a challenge.

Paller would prefer to see the government require that IT vendors stop shipping products with known vulnerabilities and provide self-deploying patches to buyers. "Should 1,000 people fix a lock, or should the guy that delivers the lock fix it once before delivering it?" he asks.

Presidential adviser Clarke's answer: "We need to insist that the next generation of hardware and software systems has security built into the basic architecture." The government should engage in discussions with IT vendors about security features to include in product blueprints, he adds.

Whether the federal government or the SEC will have influence over companies' IT security practices remains to be seen, but it's clear that lawmakers want more assurances that IT infrastructures are well-protected. The days when IT security was purely a private business matter may be coming to an end. -with Alorie Gilbert, George V. Hulme, Marianne Kolbasuk McGee, and John Rendleman