The involvement of government in private industry has been long debated and there are still no clear determinations of how deep is too deep. We’ve seen many nations handle the internet and businesses differently with varying levels of openness and concern for the citizens. In the US, it certainly blurs the typical party lines when it comes to guidance/incentives/regulation of the nations’ businesses Cybersecurity. How much should the government be doing to secure our digital infrastructure and how much should businesses be protecting themselves?
If the financial system is any barometer, businesses need to do a much better job of policing or securing themselves. But when a strong bottom line now often times negates the protections for the futures, it is a huge concern about the future security of businesses, data and the data of their customers moving forward.
Too often, the IS teams are reactionary. When there is an issue, the teams are built up and when things are calm, they are too easily downsized. (The comparisons to the military are striking.) But then when the government gets involved, it raises all sorts of mumbo-jumbo as seen in this Reuters post from last week.
Obviously, the breach of some systems could have a huge effect on the well-being of the country. With more cloud services being offered, it is not just a matter of big businesses leasing a farm of insulated servers in some remote location. It is a matter of multiple big businesses intertwined using the same services of the same cloud that could be so easily compromised without the security oversight that is needed and expected by customers. I am all for cloud resources as they save time and are extremely effective, but the breaches over the past couple of years are concerning. The voracity of the attempts to access databases and cause disruptions for fun or for truly malicious intent are rising and will continue to do so. To a certain extent, if the enforcement agencies were not involved in ensuring the security systems, it would be like police officers being called upon to recover all of a company’s stolen goods when the company decided they weren’t going to install the alarm or pay their alarm bills because of down cash flow.
I don’t know that the best solution will come from any Senator or Congressional office. I also don’t know if security for all businesses would be any more effective if mandated by government agencies. It really does come down to the businesses holding their responsibility to ensure safeguards against their business disruption. Perhaps the government can insert themselves as advisor-partners when it comes to the larger service groups that touch upon many big businesses – like the Amazon Cloud. Maybe Representative Mac Thornbury and his task force are correct in saying that there should be incentives te ensure that companies secure themselves, but isn’t that just another government handout to corporations? Senator Harry Reid’s office is working slowly on a Cybersecurity bill, but that’s taking too long – perhaps due to the stickiness of the whole thing.
Ultimately, there is no simple answer. In the best of all possible worlds, the businesses would be responsible to secure themselves and there would never be any breaches or threats. But we don’t live in that world and it might be that government is muddying things up further by systematically removing any sense of responsibility many businesses have to their customers or each other.
[UPDATE] This afternoon on PRI’s THE WORLD, Marco Werman interviewed Misha Glenny regarding Cybercrime and his new book, DarkMarket: Cyberthieves, Cypercops and You. In the interview they discuss cybercrime, the diversity of the characters and what motivates them. While our original post was focused more on the annoyances for companies and customers due to breaches in security, this discussion delves into the downright worrisome in regard to the recent breach of Citigroup’s database – where they lost 200,000 account details - and the scary relating to the fact that the drone aircraft controlled from within the US now have viruses. Those viruses are not doing anything right now, but they cannot get rid of them. If they were to do what other viruses do and take control of the drones, who knows what can happen. In this case, the government should be fully involved. Don’t you think?