Information-Management.com: Let’s start with your takeaways from the president’s cybersecurity order. How do you see this playing out over the next six months and through 2013? And what businesses in particular should pay attention?
Barnett: You might be surprised. It could be very far reaching because it’s going to address all 18 of the critical infrastructures [in the new presidential policy directive with the Executive Order signed February 12]. If any of the businesses touch on the chemical industry or the power industry or defense or telecommunications ... you see, there are a lot of businesses that would come across one of those industries. What we’re telling our clients is, ‘Don’t go to sleep on this and wait to see what happens.’ Even though these are voluntary standards, there may be a big gap they didn’t know about in what they’re expected to do, security-wise. It is a very aggressive plan to develop standards of practice. Within 240 days of the executive order, there has to be a preliminary draft of what this cyber framework will be. Within a year, they’ll have to have it in place.
In the meantime, there is going to be this participatory, consultative process where industry is going to come forward for each one of those sectors where they state what they do now and how they can up the game. If they’re a small business, they’ll probably have to monitor things through the media or a trade association. Larger industries will weigh in and directly participate because they’ll want input. At some point, these standards are going to be published and businesses are either going to be at those standards, or below them. If they’re below, they may be at a competitive disadvantage. Or they may have to take part in a certification program. Or, if you’re not and there is some type of data breach, there could be liability or penalty. The General Services Administration is supposed to make recommendations on how these standards can be incorporated into contracts.
That’s potentially huge because the federal government is the biggest customer in IT. That could reach all sorts of businesses, not to mention countless software companies.
If you’re doing business with the government, this cybersecurity legislation could become the new standard for doing business. The main thing is to monitor what is going on and, if you can, get involved. There’s a NIST request for information going out – actually, some of those questions are out now, even though it hasn’t officially gone out. Here, people can get a sense of what performance or methodologies they’re looking for. The second aspect of this is workshops that will start in April. NIST is going to really work through the industry sector coordinating councils. It depends on where each of these industries line up, and there may be an additional way to participate.
Back to those basic players involved in the cybersecurity legislation, the utility providers and those essential to infrastructure. What is your sense when it comes to their security levels now?
I wouldn’t want to disparage any efforts out there. I’m most familiar with the telecommunications industry, and there are a lot of great things going on there. But, on a daily basis, we hear about someone new that has been hacked. Government agencies, newspapers, defense contractors, Internet security folks have all been hacked ... Security costs money and insecurity costs money, and you have to balance which costs more. We’ve got to figure out a way to up our security game, and I’d say we have to incentivize security and, in effect, grow a security market. Tax breaks, limitations on liability, that type of thing.
At this same time, there are some concrete reports on sophisticated, state sponsored hacking operations from overseas, namely China. Nations spy on each other, but give me some perspective on how a midsized business here in the states should deal with attacks or intrusion at that scale.
It’s generally accepted that nations’ governments spy on other nations’ governments. What the cyber space has provided is countries spying on other countries’ business for advantage. I know some research from the Center for Strategic and International Studies that tracked a midsized furniture company in the U.S. that had an [advanced persistent threat] in place for years, and all of a sudden, it’s market share was going down to furniture made overseas. Even for furniture, for goodness’ sake, you could lose jobs and market share. That’s a roundabout way of saying, definitely, companies who should worry the most are the ones who have no idea if someone has been in their enterprise data systems or not. Just having a firewall and anti-virus are not enough.