Network World just released its list of the “biggest security snafus of 2012 — so far.” That list confirms what you probably already knew: It’s been a tough year for the folks who safeguard sensitive and valuable information.
In the public sector, health and Medicaid data for nearly 800,000 people was stolen from a Utah Department of Technology Services server in March. In May, hacktivist group Anonymous released 1.7 GB of data stolen from a U.S. Justice Department server. And in June, the University of Nebraska said a data breach exposed more than 654,000 files of personal information.
Cybersecurity is on my mind for two reasons. First, as I write this, I’m returning from a trip to the Center for Internet Security (CIS), a 2-year-old nonprofit that tracks cybercrime activity and shares threat information and best practices with state and local governments. The CIS is led by Will Pelgrin, former director of cybersecurity and critical infrastructure for New York state. Pelgrin led cybersecurity efforts in New York for nearly 10 years, and founded the Multi-State Information Sharing and Analysis Center (MS-ISAC), a cybersecurity information sharing and monitoring group that includes all 50 states.
Pelgrin’s shift to nonprofit status was driven at least partly by the desire to boost collaboration and information sharing among government and private companies. He says cross-agency and intergovernmental collaboration is easier now that the CIS is seen as a neutral third party.
Security pros like Pelgrin say we’ll never block 100 percent of cyberattacks. But teamwork and information sharing among private industry, government agencies, security firms and law enforcement can reduce the odds of serious trouble.
That brings me to the second reason I’m writing about cybercrime: For several years, Congress has struggled to pass legislation to strengthen cybersecurity standards and improve sharing of threat information between sectors. It’s currently crunch time for one such measure, the Cybersecurity Act of 2012, which observers say must clear the U.S. Senate in August to become law this year.
The bill came under fire from Republicans wary of imposing new regulations on U.S. businesses and from privacy advocates who fear the measure would let companies hand over users’ personal information to the feds without permission. Some Republican senators created a competing bill focused on information sharing, but with fewer regulations.
As of late July, the issue was unresolved — but it demands resolution. Privacy rights must be respected, and businesses can’t be overburdened. But protecting information and critical infrastructure from cybercrooks is vital to the nation’s future. Maybe the CIS offers some ideas for information sharing and cyber-readiness we can all live with.