In testimony before the House Subcommittee on Cyber Security Wednesday ISAlliance President Larry Clinton said “We are past the time for simple education about cyber security. Now is the time for action.”
“However, for industry and government to create an effective system we need a fundamental rethinking about how we address these issues. The Internet is unlike anything we have dealt with before and will require a solution unlike what we have tried before,” Clinton said.
According to Clinton, “The threat to the nation’s infrastructure is very, very serious, and growing.” He cited the massive increase in Internet use over an inherently insecure system coupled with an increase in more sophisticated attacks motivated not by publicity but “money, and more insidiously power and destruction” as reasons for the more serious threat.
Clinton also said there was some good news in that the private sector already knows a fair amount about how to combat Internet threats and is working on new technologies and practices to keep pace, but argued that “more organizations needed to embrace these technologies and practices”.
The best way to assure an effective and sustainable defense system is to inject market incentives to motivate adoption of best practices. Clinton proposed Congress consider enacting a “Cyber Safety Act” which would inject market incentives designed to spur greater private investment in cyber security. “Users must come to believe that cyber security is in their own self interest” Clinton said.
Among the suggestions Clinton outlined in his testimony was the use of procurement, rewarding personnel for good security behavior in human resources reviews, broader use of cyber insurance, government/industry/academic consortium and awards programs.