A frustrated Senate committee chair has sent letters to the CEOs of every Fortune 500 company, asking them to characterize their firms' cybersecurity policies and practices.
The letters came amid election-year paralysis on Capital Hill that has stymied efforts to pass a new cybersecurity bill. A bill introduced by Senator Joe Lieberman of Connecticut, a political independent, won majority support in the Senate, but was defeated by a Republican-led filibuster.
Rockefeller, a Democrat who is head of the Senate Commerce Committee, attributed the setback to lobbying groups and trade associations, especially the US Chamber of Commerce. He said the letters to CEOs were an effort to obtain their views on cybersecurity "without the filter of Beltway lobbyists."
Whatever one thinks of the letter-writing campaign, the back-and-forth about cybersecurity legislation is likely to continue. And whatever one thinks of federal regulations, this is bad news for firms, which will be left without clear guidance and standards for protecting their sensitive information and systems.
Needless to say, hackers are not going to hold back and wait for the United States Senate to make up its mind. They will redouble their efforts to make the most of cybersecurity policy disarray.
Remember, too, that the great majority of these hackers are no longer the geeky teenagers of yore. Today's black-hat hackerdom is dominated by organized crime rings, politically motivated "hactivists," and state-sponsored intelligence operations. Some are out for the money. Others are out to damage perceived enemies, or obtain industrial and technological secrets of potential strategic value.
The good news is that effective cybersecurity is available, even in the absence of settled federal cybersecurity regulations. The ISO/IEC 27002 industry standard outlines the basic principles of effective security. Costly vendor solutions are not enough, and often are not needed. What is needed is a proactive approach to cybersecurity, supported from the top.
