Three and a half years after 9/11, I remain astonished at how few of the comparatively easy and essential defensive tasks we've accomplished, in comparison to the vastly expensive (and often unsuccessful) initiatives that we have mounted.  One shining example is the failure to create and deploy a suite of effective first responder standards to enable those whose peak performance would be most essential in the case of a new disaster to even communicate effectively with each other.  Another is to put in place the necessary technical, procedural and regulatory controls needed to protect sensitive personal information.

I have two consortium clients dedicated to information security, and both have found it necessary to issue statements recently to highlight gaps in our cyber defenses.  The first was a terse statement issued on January 18 by PCI Security Standards Council, LLC, an organization formed by the major credit card payment brands (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) to create and administer global security standards up and down the credit card payment chain.  The statement was occasioned by news of the latest in an ongoing series of breaches of consumer financial records, in this case involving millions of customer records maintained by retialer Target Corporation. 

A story that aired on the NBC evening news recently highlighted an even more appalling situation – focusing on county and other governments that had placed records on their Websites that included the social security numbers, names and birth dates of individuals.  These sites, of course, provide a gold mine for identity theft.

And then there is a press release issued two days ago by the Cybersecurity Industry Alliance (CSIA), whose top-level membership includes all of the major and anti-virus and other security vendors.  It's sober reading.

The press release announces the issuance of recommendations to improve security, as well as a report card on government action (and inaction) in the area of cybersecurity in 2006.

Here is a summary of 2006 government performance, as ranked by CSIA (the full press release can be found here):

Review of the State of Information Security in the U.S. in 2006

One year ago, CSIA called on the Administration and Congress to enhance the nation’s information security and reliability for consumers, industry and the government by acting on 13 critical recommendations to protect the nation against cyber threats.  Today, CSIA issues a Federal Progress Report to grade the government on its follow-through on its 2006 recommendations. Rather than grade each specific initiative, as done in years past, CSIA offers a composite grade for each area to provide a more holistic view of how the government is performing: 

Security of Sensitive Information:  Congress ratified the Council of Europe Convention on Cyber Crime but failed to pass a comprehensive law to protect sensitive personal information. Grade: D 

Security & Resiliency of Critical Information Infrastructure:  The Department of Homeland Security (DHS) appointed an Assistant Secretary for Cyber Security and Telecommunications and implemented programs such as LOGIIC and Cyber Storm, but hasn’t offered a clear agenda on the Department’s top cyber security R&D priorities or established a survivable emergency coordination network to handle a large-scale cyber security disaster. Grade: D 

Federal Information Assurance:  Government continues to offer a mixed bag of successes and failures, with progress within OMB and implementation of HSPD-12, but much improvement is needed in the areas of using the power of procurement, resolving systemic telework issues, and releasing information on the cost of cyber attacks. Grade: D

And here is a summary of the actions CSIA recommends for this year:

A Government Call to Action for 2007

In its 2007 Agenda for U.S. Government Action, CSIA calls on the Administration and Congress to implement the following recommendations to help improve the privacy, reliability and integrity of information:

Security of Sensitive Information:  Pass a comprehensive federal law to secure sensitive personal information and notify consumers in case of a breach.  This data security legislation should apply equally to all government and private sector entities that collect, maintain or sell significant numbers of records containing sensitive personal information, and require organizations to establish reasonable security measures to ensure the confidentiality and integrity of sensitive personal information, in order to minimize the likelihood of a breach.  

Security & Resiliency of Critical Information Infrastructure:  DHS should quickly establish cyber security and telecommunications priorities that address situational awareness, emergency communications and recovery and reconstitution and ensure that appropriate funding is in place to support these programs.  In the event of a major information infrastructure attack or disruption, an integrated, dedicated system should be implemented that can monitor the entire information infrastructure. 

Federal Information Assurance:  Congress and the Administration should work together to strengthen the Federal Information Security Management Act (FISMA).  To effectively establish and maintain a comprehensive information security program, the power of federal CIOs should be strengthened so that they can better enforce authority concerning budgets and personnel resources.  Federal agencies should increase their assessments and testing of information security controls, and acquisition regulations should be revised to ensure that all federal contractors comply with FISMA requirements.  In addition, all agencies establish a common requirement to notify citizens in case of a breach of sensitive personal information.

You can find a full copy of CSIA’s Federal Progress Report for 2006 and 2007 Agenda for U.S. Government Action here.

Why is progress in this area so difficult to achieve?  In part because there are so many points of weakness, which is where standards come in, both technical as well as “best practices” requirements against which practices and systems can be evaluated.  And partially because setting up and maintaining security is expensive and burdensome, which is where regulations come in. 

Hopefully 2007 will prove to be a year with greater progress in this area than 2006.  Standards organizations are  doing their part.  It’s time for governments to do theirs. 

For further blog entries on Standards and Society, click here

subscribe to the free Consortium Standards Bulletin