This directive, like most others coming out of Washington these days, will prove to be yet another compliance burden that businesses will face.
Interestingly, looking through Obama’s Cybersecurity Near Term Actions, most of these things have already been put in place in some form: FISMA, InfraGard, the myriad of federal and state privacy/security regulations, the NIST Special Publications and CSRC resources to name a few. They’re just not being used or enforced. And, something we often see, instead of using existing resources and enforcing existing laws, politicians prefer to create new ones. It helps justify their existence.
Obama’s Near Term Actions also lay the groundwork for further government regulations on business. Death by a thousand cuts that only business owners and leaders fully understand.
Bureaucrats wanting more and more control of the economy and people will talk the talk – as if they’re the information security experts – to push these types of initiatives. Perhaps we’ll see some infrastructure security improvements at the federal government level long-term. However, I suspect this order – or any one following it – will have minimal impact on information risk in this country as a whole.
Why? Because people who are careless, overworked, under-qualified, cash-strapped, risk-ignorant, and so on will continue to look past the information security basics and keep doing things like:
- Trust that cloud providers are always doing the right thing
- Use phones and tablets without a trace of security enabled
- Leave firewalls configured with no passwords and weak rules
- Continue to overlook the value of whole disk encryption for laptops
- Forget to set passwords on their database servers
- Writing code that enables SQL injection
- Ignore patches from Microsoft, Adobe, Oracle (Java) and other vendors
- Choose to believe that basic vulnerability checks using a “PCI-capable” scanner is all that’s needed to find the flaws in servers, databases, web applications, mobile apps, or any other system with an IP address or URL
I could go on and on but you get my point. Obama nor any politician is going to truly fix these things. How about letting the free market decide which businesses survive?
I strongly believe that any such “cybersecurity” directive out of Washington is not about information security. It’s about control. They can continue layering on all this showy bureaucracy but I’m just not buying it.