U.S. President Barack Obama's decision to sign an executive order on cybersecurity has not quelled the debate regarding the necessity of legislation.
"For the most part the executive order is looking to implement frameworks that better enable voluntary cooperation across the public and private sector, especially as it relates to critical infrastructure, however it doesn't really address…how to deal with organizations that willingly neglect basic security procedures," said Amrit Williams, CTO of Lancope. "I am not convinced that legislation is the best approach to ensure a base level of security and instead think that the focus should be on enabling better cooperation, information sharing, and incentives for organizations that meet certain requirements."
Inside the executive order is a call to expand the voluntary Enhanced Cybersecurity Services program as well as for the granting of security clearances for personnel at critical infrastructure companies are expedited. There is also a provision directing the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity best practices and standards for critical infrastructure providers.
But what is missing from the order, and what could be in legislation, is specifics.
"Future cyber security legislation needs to set a clear standard for information sharing between the private and public sector to ensure there is meaningful dialogue about cyber threats," said Entrust President and CEO Bill Conner. "Legislation needs to clearly articulate not only when information should be shared, but also what information should be shared. I think federal agencies may be less hesitant to share information with enterprise if legislation provides them with a clear directive on how to communicate critical cyber security information."
There are many items that remain to be resolved by the government agencies through cooperation with the private sector, said Joram Borenstein, senior director of product marketing at NICE Actimize. These include a risk-based identification of critical infrastructure and the adoption of the best practices from NIST.
"Much of the legislation needed is to enable the statutory framework to best execute against the Executive Order – allowing government departments as well as private industry to collaborate as well as grant powers to certain regulatory bodies to draft appropriate regulation," said Ben Knieff, also of NICE Actimize. "So, much is about the ability to fulfill the order and respond to the recommendations/standards as it is to go beyond it."
Legislation often tends to be too far behind the actual threats, said Knieff, who is director of fraud product marketing.
"This is why a risk-based approach that requires organizations to effectively evaluate threats and appropriately respond tends to work well," he said. "Using a risk-based approach allows the legal framework to stay in place while the expectation is to stay abreast of the risk and respond accordingly."
The debate about legislation is far from academic. The signing of the executive order came after multiple attempts to pass legislation failed in 2012, with opposition coming from a variety of corners, from privacy rights advocates to the business community.
"Legislation is the wrong approach, unless we are focusing on malicious intent or gross negligence on the part of an organization," Williams told SecurityWeek. "Not only due to the changing nature of the threat, but also because the focus of compliance initiatives…has been looking at an organization's ability to implement security controls on top of commercial technologies. One problem with this approach is that the majority of technologies companies implement are inherently insecure, not only the myriad vulnerabilities in enterprise software but also protocols that enable the Internet itself. The issue with legislation is it penalizes the consumer of technology as opposed to the folks that develop technology."
A more effective approach for the government to take may be to offer incentives, some experts have said. In the executive order, the secretary of Homeland Security is tasked with working with other agencies to establish a voluntary program to implement the NIST framework. In order to speed adoption, officials are directed to come up with incentives to encourage companies to get involved in the program.
Just how effective incentives are however can be influenced by the industry, said Knieff.
"Financial institutions, for example, have a hard dollar cost associated with cybercrimes and cybersecurity lapses in fraud and lost business – and are constantly under attack. Other entities may not have as a direct a cost – or may be attacked much less frequently, so less incentive to harden security. Fines and penalties are one of the tools immediately at the disposal of legislators/regulators – particularly when they cannot change other incentives easily."
Most organizations want to do the right thing and are making great efforts to ensure they protect their intellectual property, their customer private data and their own infrastructures, Williams said.
"We need to start creating incentives for organizations to do more, just as we have done with the rebates on the adoption of more energy efficient technologies or tax incentives for organizations that participate in supporting non-profits," he said.