Information-Management.com: Let’s start with your takeaways from the president’s cybersecurity order. How do you see this playing out over the next six months and through 2013? And what businesses in particular should pay attention?
Barnett: You might be surprised. It could be very far reaching because it’s going to address all 18 of the critical infrastructures [in the new presidential policy directive with the Executive Order signed February 12]. If any of the businesses touch on the chemical industry or the power industry or defense or telecommunications ... you see, there are a lot of businesses that would come across one of those industries. What we’re telling our clients is, ‘Don’t go to sleep on this and wait to see what happens.’ Even though these are voluntary standards, there may be a big gap they didn’t know about in what they’re expected to do, security-wise. It is a very aggressive plan to develop standards of practice. Within 240 days of the executive order, there has to be a preliminary draft of what this cyber framework will be. Within a year, they’ll have to have it in place.
In the meantime, there is going to be this participatory, consultative process where industry is going to come forward for each one of those sectors where they state what they do now and how they can up the game. If they’re a small business, they’ll probably have to monitor things through the media or a trade association. Larger industries will weigh in and directly participate because they’ll want input. At some point, these standards are going to be published and businesses are either going to be at those standards, or below them. If they’re below, they may be at a competitive disadvantage. Or they may have to take part in a certification program. Or, if you’re not and there is some type of data breach, there could be liability or penalty. The General Services Administration is supposed to make recommendations on how these standards can be incorporated into contracts.
That’s potentially huge because the federal government is the biggest customer in IT. That could reach all sorts of businesses, not to mention countless software companies.
If you’re doing business with the government, this cybersecurity legislation could become the new standard for doing business. The main thing is to monitor what is going on and, if you can, get involved. There’s a NIST request for information going out – actually, some of those questions are out now, even though it hasn’t officially gone out. Here, people can get a sense of what performance or methodologies they’re looking for. The second aspect of this is workshops that will start in April. NIST is going to really work through the industry sector coordinating councils. It depends on where each of these industries line up, and there may be an additional way to participate.
Back to those basic players involved in the cybersecurity legislation, the utility providers and those essential to infrastructure. What is your sense when it comes to their security levels now?
I wouldn’t want to disparage any efforts out there. I’m most familiar with the telecommunications industry, and there are a lot of great things going on there. But, on a daily basis, we hear about someone new that has been hacked. Government agencies, newspapers, defense contractors, Internet security folks have all been hacked ... Security costs money and insecurity costs money, and you have to balance which costs more. We’ve got to figure out a way to up our security game, and I’d say we have to incentivize security and, in effect, grow a security market. Tax breaks, limitations on liability, that type of thing.
At this same time, there are some concrete reports on sophisticated, state sponsored hacking operations from overseas, namely China. Nations spy on each other, but give me some perspective on how a midsized business here in the states should deal with attacks or intrusion at that scale.
It’s generally accepted that nations’ governments spy on other nations’ governments. What the cyber space has provided is countries spying on other countries’ business for advantage. I know some research from the Center for Strategic and International Studies that tracked a midsized furniture company in the U.S. that had an [advanced persistent threat] in place for years, and all of a sudden, it’s market share was going down to furniture made overseas. Even for furniture, for goodness’ sake, you could lose jobs and market share. That’s a roundabout way of saying, definitely, companies who should worry the most are the ones who have no idea if someone has been in their enterprise data systems or not. Just having a firewall and anti-virus are not enough.
One of the ways a lot of people are looking to get a better handle on the increasing amount of information is the cloud. It used to be thought of largely in terms of privacy, ownership and security, but it’s pretty clear that many cloud operations are safer than enterprise controls. In this overall cybersecurity discussion, what are you hearing and telling clients when it comes to the cloud?
When I talk to the hands-on experts, the technical people tell me the cloud enables you to have more of that in-depth security. As opposed to that perimeter defense, which any halfway talented hacker can get into, the cloud lets you at least compartmentalize your damage and risk. Having said that, there are concerns about connectivity and having all your information in one place. We’re just delving into it on the legal side of it, the contractual relationships and what the back-ups are. The cloud is an innovative and very efficient development, and it’s not the last one. One of the things in the cybersecurity order and even standards or best practices in general, is that they’re going to have to be dynamic. They’ll have to include processes for regular updates. With cybersecurity legislation and the cloud, the last thing we want to do is codify this innovation into law.
We always hear dire warnings on the security front. But what are some basics or easy initiatives a business can take on to become more secure in short order?
First off, there is a surprising amount of poor computer hygiene out there. Even updates on best practices and policies would absolutely make a difference at the business level. Basic things: actually having password protection and changes so, for example, your TV station doesn’t get hacked with jokes about zombies ... [laughs]. But businesses, if they’re not of the size where they can have a chief information security officer, what they ought to look at is at least have an analyst or consultant advise you on something like penetration testing. They can come in and see who’s playing around your security borders. Then, you at least have the knowledge to strengthen your vulnerabilities.