Open Letter to Feds from the HinterlandHeartfelt Plea to Tame Government Regulation
Dear Federal Government:
As an employee of a local government information security organization and leader of regional public/private sector information sharing and collaboration efforts, I implore you to consider a new approach to our joint efforts to secure information infrastructure.
Here in the trenches, the situation has become extremely serious and we're losing the battle to an adversary who's becoming more agile, determined and sophisticated. We no longer operate from a position of defending our perimeters; instead, we assume breaches will occur and have taken an information risk management approach to protect our information assets.
Though you and some of your industry collaborators, such as the Payment Card Industry, are well meaning, you've mostly created regulations to secure the computing environment, efforts that address the old paradigm of a layered, perimeter defense. This approach has failed to increase security for a number of reasons:
- Generic regulation cannot address the complexity and variety of risks to any specific organization, industry or region;
- Efforts to comply have become a risk unto themselves as organizations divert limited resources to avoid sanctions from the regulatory bodies;
- Regulators and systems are not agile enough to adjust to the ever changing threat landscape, and
- Only the organizations themselves can develop effective mitigations to the risks they deal with every day.
The best thing you can offer to those of us on the battlefield is quite simply research and development support and funding. There are some great examples of the efficacy of this approach that have taken place in the last few years. The Department of Homeland Security's Science and Technology Directorate, for instance, has funded and helped develop tools used to assist in the detection and prevention of botnet activities, contributions that effectively mitigate real-life threats used by organizations in a wide variety of industries.
Regulations have a place as suggestions of possible industry best practices, but in the end they do little to increase security of the information infrastructure. For instance, breach legislation before Congress calls for greater penalties without offering any funding, research or solutions to assist in the avoidance of breaches. It's an unfortunate case of creating legislation and regulations that are all stick and no carrot.
Please consider moving federal government toward a more supportive and collaborative stance with those of us in the hinterlands. This change would result in much more effective solutions to the problems we deal with every day.
David Matthews, CISSP and CISM, is the deputy chief information security officer for the city of Seattle and chairman of the Northwest Alliance for Cybersecurity, which promotes regional cybersecurity programs.