Should the Government Intrude on Private-Sector Cybersecurity Issues?By Erik Sherman
If Metropolitan Telecommunications CIO Alex Citkin wants to remember Sept. 11, all he has to do is look across the street. Today, as then, the telecom provider occupies offices opposite the New York Stock Exchange, which was shut down by the terrorist attacks and was named as a continuing target this summer. But his belief that the federal government should take a greater responsibility for the security of the country's IT infrastructure depends as much on what has happened since that terrible day. Viruses, worms, spam and the extended corporate infrastructures necessary for offshoring have all increased the vulnerability of corporate IT systems. "This opens the gate for cyberterrorism, and that's real terrorism, just a different flavor," he says.
Citkin is just one of the 66 percent of the IT professionals who responded to this month's survey on security who agree that the government should get more involved in the protection of the country's information infrastructure. That number comes as a surprise, given how rarely businesspeople ordinarily look for increased government involvement in their affairs. In fact, every single CIO we spoke to for this article who agreed that the government should get more involved also said that five years ago they would have taken the opposite view.
The problem, as many CIOs see it, is that the complexity and difficulty inherent in true cybersecurity has simply outstripped their individual abilities to adequately address it. "I'm with the rest of the IT world in that I want less government interference. At the same time, however, the government is set up to protect the borders," says R. Spencer Van Pelt, information officer of Republic Mortgage LLC in Las Vegas. "That policy should also include electronic commerce."
CIOs also express concern that the private sector alone could not achieve the necessary security because companies are now so interconnected that every problem can affect dozens, even hundreds, of other companies. Because companies tend to look to their own interests, the feeling among these CIOs is that it would take the government working with industry, and in some cases filling the position of a mediator, to create a secure environment. "Unless there is somebody at a higher level who can coordinate [businesses], how can you get them to even share information?" asks Sandy Phillips, senior vice president and CIO of Jackson Health System in Miami. "They don't want to share information on their vulnerabilities."
Unfortunately, CIOs aren't so sure exactly what the government can and should do. Some call for regulation similar to the Sarbanes-Oxley Act, while others simply want uniform security standards. "The industry groups often come up with standards that offend the least number of people," Phillips says. "We need to focus on how we get the best effect." Others want more extensive government involvement, which might include vulnerability assessments across industries and differing aspects of the infrastructure. And every supporter of increased government involvement said they are disappointed in the current state of government action.
While the few CIOs we spoke to who wanted little or no government interference in the private sector sometimes raise free market principles, their major objection is practicality. Because the government moves so slowly, by the time it took actionby publishing standards, for instancethey'd already be out of date. Given the poor marks that agencies, including the U.S. Department of Homeland Security, have received on their own IT security, many CIOs doubt that the government would be able to contribute much. Still, some argue that there is one type of law that could actually have a positive impact. "If you made companies liable for information disclosure problems and hacking, like California's done, that's a wake-up call," says Thomas Staight, the top information systems executive for NemcoMed Inc., a Hicksville, Ohio-based manufacturer of orthopedic implant tools and parts.
Still, many of these same CIOs see virtue in the government's ability to take a long-term view of the problem. "Help us understand where the technology is going," says Rob Baxter, vice president and CIO of Phoenix-based diversified manufacturer EaglePicher Inc. "We're throwing lots of money at solving security problems, but they're all very tactical approaches without a systemic approach." If government were to fund research, particularly through universities, that might identify and solve future cybersecurity needs, Baxter believes, then companies could look to vendors to create the necessary products.
Some members of the U.S. House of Representatives have been following cyberterrorism and security issues and have tried working with groups such as the Corporate Information Security Working Group as a way of encourag- ing better practices. Others in both parties in Congress note that if things don't improve relatively soon, new laws could quickly follow. So for better or worse, the majority of IT executives may get their wish.