Thoughts on the cybersecurity task force

October 17, 2011 - 0 Comments

A Republican task force recently released a limited set of near-term recommendations for cybersecurity legislation that emphasized voluntary standards instead of regulation. Interesting. Several words jump out at me in that sentence. “Voluntary standards”, “near-term”, “not regulated”. I paraphrase.

Seems to me that something as important as a task force that was put together should be working on an overall strategy to address cybersecurity rather than trying to patch holes in the dike.Now, I have no problems with short-term recommendations that address the critical issues, but creating them without a larger strategy to tie them to really doesn’t do much good. How does anyone know what they are working towards if there is no defined end as part of the bigger picture?

The article goes on to say that there are definitive improvements that provide momentum for much needed legislation that  should happen this year. Okay, that’s a good thing, right? But these are areas where we know we need to make improvements, i.e. FISMA reform and data breach notifications. Part of cybersecurity, sure, part of a bigger picture, yes. But, to what end? We should not be so opposed to regulation when addresses the cyber threat, whether it be for government agencies or private sector, as explained here.

If the government is going to form a Cybersecurity Task Force, and spend time on it, the outcome should include both short and long-term strategies. Once this is done, you can attack the low-hanging fruit that everyone agrees on while details are worked on the other issues. This should be an on-going effort, and should identify the bigger issues that need further discovery as well as the near-term recommendations. But according to the article, the only thing that is being addressed are topics that both sides agree upon.

Some may say this is a step in the right direction. In my opinion, it is merely a tactic to side-step the real issues and make it appear that something is being done about it. I realize cybersecurity it a big issue, but that means we need a big plan. Not a bunch of stop-gap regulation.

Am I missing something, or is there something more to this? Please provide your comments and thoughts on the subject so that maybe we can get a conversation going where both sides realize this is bigger than just a couple of laws being passed this year.


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.