A flurry of long-overdue government initiatives designed to address cybercrime has begun to actually develop some momentum. When I consider that it took a year to just get a cybersecurity bill through committee, I think of Nero fiddling while Rome burns, especially when everyone on the committee appears to believe it’s critical legislation.
The CyberSecurity Act, S. 773 started life in April of 2009. Its painfully long gestation was, in part, due to the Presidential “kill switch” clause that would have allowed the President to disconnect networks from the Internet. This has been replaced by a predefined plan (to be developed in collaboration with network infrastructure owners) that spells out criteria that would justify shutting down a network. This is almost certainly better than leaving this power in the hands of one person, no matter how smart, though the devil will be in the details, and much attention will need to be paid to the T's and C's of this.
I particularly like the aspects of the bill that increase investment in building cybersecurity expertise through education. Scholarships and other tools should motivate students to build critical skills will be vital to ensuring industry and government will have a deeper pool of cybercrime experts to draw on as cybercrime continues to evolve.
Still, all these measures are really reactive, and many may take years to materially change the threatscape. S. 773s effects will be limited because they fail to address one of the biggest challenges of all, the lack of political will among the international community to actually crack down on cybercriminals.
So long as some countries perceive it is in their interest to allow cybercriminals to bring in cash, there will be no serious effort to rein in the crooks. However, as some of these emerging economies begin to accumulate more wealth they will inevitably become targets themselves. Over time, this may cause an increase in attacks on their own citizens that causes a net outflow of money, and then I expect we’ll see action.
At any rate, as Randy noted in his blog on Carrots, Sticks and Cyber-spies, the creation of a Cyber-Security Ambassador to the UN is a good step in moving closer to a time when there is actually a concerted focus on solving the geo-political security holes that prop up online organized crime.
Dan Clark
Vice President, Marketing and Research
ESET, LLC