US Homeland Security Secretary Jeh Johnson recently spoke at a conference at the Center for Strategic and International Studies (CSIS) about the challenges of cybersecurity as they affect the federal civilian .gov world. In his speech, secretary Johnson stressed the importance of passing new cybersecurity legislation to improve data sharing when breaches occur. Indeed, his speech would go one step further to incentivize organizations to report non-breach security incidents.
The core of Secretary Johnson’s speech rests on the idea of striking a balance between creating a perfectly secure data ecosystem (which is not practical) and leveraging the benefits of mobility and connectivity:
“Cybersecurity involves striking a balance. I can build you a perfectly safe email system, but your contact will be limited to about 10 people, and you would be disconnected entirely from the Internet and the outside world. This, too, would be like a prison.
The reality is we live in an interconnected, networked world. Cybersecurity must also be a balance between the basic security of online information and the ability to communicate with and benefit from the networked world.”
While a closed system is unrealistic, there is no question that cyber threats are increasing in frequency, scale, sophistication and severity. The recent breach at OPM is an example of how federal cybersecurity is, as Johnson notes, “not where it needs to be.” The creation of the Cybersecurity Sprint Team, who are conducting a rapid response assessment of federal systems, is a great first step. Following the 30-day review, a new strategy and set of action plans will be established with more focus on protecting data at rest and in transit, improving situational awareness, greater education, and more automation on areas such as patching.
A lot is being said about the importance of layered security, which is our own stance here at Absolute as well, and the critical role that education plays in preventing a cybersecurity incident (as employee mistakes often open the door to incidents). These are all fantastic steps forward.
In his speech, Secretary Johnson has called for Congress to do more. His recommendation, beyond implementing information sharing technology and processes to allow information sharing when breaches occur, is to roll out a national data breach reporting system (create a national data breach law) and to incentivize the private sector to share cyber threat indicators, even if it did not lead to a data breach. The idea is that greater sharing of information will help everyone improve their security preparations.
Do you think organizations would participate in voluntary information sharing of non-breach incidents? Is there already too high a burden with compliance reporting? Would a national data breach law simplify, or end up less effective, as others postulate?