Getting Cyber Security Legislation Right

Governments are creating legislation to combat cyber crime, Imperva’s Rob Rachwald wonders if their methods will work

The justice select committee last month issued a report calling for tougher personal data abuse laws. In it they recommend that courts should have the power to jail people, such as hackers or insiders, who breach the data protection act.  Legislation to address the problem is a necessary step.  However, the question is: will it work?

Data breaches are a huge problem worldwide.  Governments and private industry have made attempts to mitigate the problem of lost data.  Most countries follow a basic template:  impose fines on companies that are breached.  This “stick” approach has proven only mildly successful since most firms game the system by weighing potential fines against the risk of a breach.

Understand your opponent

If the real objective is security, something more is required.  To have an impact, any legislation needs to consider that hackers are well-financed, well-organised innovators. In fact, to fund their activities, hackers have created mature online exchanges that resemble eBay in structure, except their focus is selling personal and corporate data. Just a few months ago, a hacker offered to sell full administrative rights to government, military and educational websites for $499 (£319). So, for the price of an iPad, you could have purchased the ability to control a military website.

And they’re remarkably well organised. Lulzsec, a hacker team comprised of about eight individuals, proved very effective, hacking the FBI, US Senate and CIA websites. How did they learn the trade? Like many hackers, to stay well trained and organised, they leveraged online forums and chat rooms. These websites exemplify the spirit of web-based collaboration and education, offering a rich menu of tutorials, advice and technology designed to steal data. Analysis of one forum with 250,000 registered users showed that approximately 25 percent of discussions were focused on hacking tutorials and techniques; indicating a consistent supply of expertise.

By contrast, the good guys are on a budget; often very tight ones. Whereas hackers live to hack, most companies are retailers, banks, whatever first and security experts a distant second, third or fourth. Slapping them with fines will only encourage gaming the system, like someone speeding on a highway and slowing down if they think the police are near. In the case of security, companies could evaluate the odds of a breach and the cost of security versus the cost of a fine. To avoid this dynamic requires a prescriptive approach.

Tried and tested

The good news is that a template already exists: The credit card industry regulated itself and created the payment card industry data security standard (PCI-DSS). PCI forced companies transacting credit cards to implement the basic elements of data security that were summarised in 12 specific steps. The impact? A report from Verizon highlighted that 88 percent (!) of companies breached in 2010 were out of compliance with PCI. It’s a system that’s working.

To be effective, any legislation should be prescriptive and strongly consider the PCI model. PCI can also be a model for legislative innovation. Ohio and Minnesota have both adopted their versions of PCI as models to protect their citizens’ sensitive information. Another variation surfaced recently when the state of Nevada, beginning on 1 January, 2010, became the first state to mandate PCI-DSS compliance for businesses that accept credit cards. In other words, any data collector doing business in Nevada must comply with the version of the PCI-DSS currently in force. The adoption of PCI-DSS by Nevada combines the best of what the private and public sector do well – the flexibility and innovation of a private-industry standard with the enforceability and visibility of state action.

Rob Rachwald is  the director of security strategy at Imperva.