Tuesday, May 8, 2012

Interesting article on NPR about whether businesses should foot the bill for a Cyber War.

The Lieberman-Collins bill before congress would help pay to secure the nation's critical infrastructure like the power grid, water treatment plants, and the financial system.  Does the government have a duty to protect the rest of the country?

I think it's a great question.  One reason, the first sentance of this blog post - it's not "A" cyber war that we're talking about here...we can't talk about it like it isn't already happening.  It's the current cyber war.  If a city was hit by a tornado or hurricane, there is always disaster assistance that is available.  It's important to a country, especially during a war to help rebuild so that the country can keep on functioning.

Another reason - can a small business really protect itself from a cyber attack from a government?

On the flip side of the issue of course, is risk tolerance.  Businesses don't take security seriously largely because they don't need to.  The only reason some companies have security programs is so they can comply with the Payment Card Industry Data Security Standards (PCI-DSS), and even then it is largely ignored (as we saw was the case with Sony last year).  People are excellent judges of risk.  As identity theft grows, they will tend to get better at creating passwords.  Businesses, too, need to learn from these issues.  But until the WAll Street Journal is covering a story about how a fortune 500 company closed it's doors because of a security breach, businesses won't invest what they need to to protect themselves.  Despite Sony's breach last year, they are still in business and their stock seems to have been barely effected.

If the government steps in, then, and prevents businesses from having to deal with the ramifications of a security threat, then businesses never will treat the issue seriously.