For all the effort that is being put by enterprises, government and vendors into combating cyber threats, there are still a few areas where progress has been slow at best and non-existent at worst. Here, in no particular order, are four cybersecurity items that need more action and less talk.
Federal cybersecurity legislation
Congress has been grappling with this one for years but has failed to deliver anything truly meaningful. Year after year, bills have been introduced in the United States Senate and the House of Representatives aimed at bolstering cybersecurity within the government and critical infrastructure. Year after year, the bills have been discussed, debated, criticized, marked up, modified, revised and voted on and yet they have ended up going precisely nowhere.
Ironically, both Republicans and Democrats agree in principle that some sort of legislation is needed to push government agencies and those in critical industries such as utilities and financial services to bolster their security. The disagreements have been over how to go about achieving that goal. As with everything else in Congress these days, debates over cybersecurity legislation have tended to get bogged down along hyper-partisan lines. While Democrats have wanted a more regulatory approach, the Republicans have favored more self-regulation.
Meanwhile, attacks against critical U.S. assets in cyberspace have been steadily escalating. President Barack Obama has promised (threatened?) to issue a cybersecurity executive order since Congress has been unable to come up with a bill on its own. It's unclear what such an order would contain, but it's unlikely to be as effective as a well-written piece of cyber security legislation would be. And that means it's now up to the 113th Congress to get the job done.
Supervisory Control And Data Acquisition (SCADA) systems control critical equipment at utility companies, energy and oil firms, nuclear power plants and other critical infrastructure areas. As the Stuxnet attacks on Iran's nuclear facility at Natanz demonstrated with chilling results, such systems are vulnerable to all sorts of tampering. Yet, many SCADA systems continue to be full of security vulnerabilities that their manufacturers appear to be in no particular hurry to fix, according to security experts.
In the past, SCADA systems used to be standalone systems, completely isolated from the Internet and therefore pretty hard to attack without physical access to the systems. That's changed in recent years and with that so has the risk profile. With a growing number of SCADA systems becoming accessible via other systems and even the Internet these days, the risk of vulnerabilities being discovered and exploited has grown exponentially. According to Digital Bond, a SCADA consultancy, the number of flaws discovered in industrial control systems and SCADA systems increased 400 percent over the past two years alone.
Sign up for Computerworld eNewsletters.