The failure of Congress to pass the Cyber Security Act of 2012 does not mean that the issue has gone away. On the contrary, there is a growing discussion in the IT security community about a possible executive order on cybersecurity.
Some say that it would beef up protection for vital information infrastructure. Some say that it would encourage government intrusion and create needless paperwork. Both claims may well be true.
As George V Hulme reports at SearchSecurity, opponents of the Cyber Security Act of 2012 may have cheered its demise too soon. The federal IT security and intelligence community has started looking for alternatives, including an executive order.
At the same time, notes Declan McCullagh at CNET, newly released documents show that the secretive National Security Agency (NSA) is already testing the vulnerability of computer systems managing such vital infrastructure as gas pipelines and the electric power grid.
The NSA knows something about the "internet of things" and its vulnerability to attack. The agency is widely suspected of having created the Stuxnet worm, which caused thousands of centrifuges used in Iran's nuclear program to self-destruct on command.
Cyberwar, and cyberthreats that rise to the national security level, have become a reality. The James Bond of today is more likely to navigate a virtual network than ride on the roof of a train. Both government and businesses need to respond to this reality.
Communicating known security threats and events to security agencies is not an imposition: It is a layer of protection.
Finding a balance between information security and disaster prediction on the one hand, and privacy protection on the other hand, is not easy. But we don't have a choice – we need to do it.
For companies this process begins with actively thinking about security. Vendors are eager to sell security "solution" software, but even the best of these tools only protect against certain specific threats.
