ISACA urges centralized cyber regulation for next president

The next president should move urgently to centralize cybersecurity regulation of key industries and modernize federal IT to help secure it from online threats, one of the largest associations for information security professionals said Monday.

ISACA, previously known as the Information Systems Audit and Control Association, is out with a list of five “top critical cybersecurity priorities” that the incoming president needs to focus on within the first 100 days — a common benchmark for urgent achievements in a new presidency.

ISACA, which boats 140,000 members throughout the world across various IT governance disciplines, highlights the following five broad issues, but provides little by way of specifics:

• “Bringing order to cybersecurity across all levels of American government [and] … tak[ing] a more holistic approach” to regulation and enforcement across vital industries. It calls this “An essential priority in the first 100 days,” adding that “Until now, regulatory and enforcement agencies at the local, state and federal levels have been addressing cybersecurity issues with limited coordination and in piecemeal fashion, creating challenges for executing defense and response measures.”

• “Dealing with nation-state [cyber] attacks … [in the absence of] defined international norms.” The new president will have both to deal with nation-state attacks, and distinguish “between ‘cyberterrorist’ and ‘cyber freedom fighter.’” The association urges against retaliation as a principle: “When it comes to international cyber security, adherence to an outmoded dogma of ‘an eye for an eye’ escalates to blindness in days, not months or years.”

• Dealing with the human capital crisis in cybersecurity. “Legislative and other initiatives, such as tuition reimbursement and similar support for those obtaining cyber security degrees, are a good start.” Beyond that, there should be “additional incentives for those who choose careers in the public sector, or protecting critical infrastructure.”

• “Global cybersecurity collaboration.” The president should ensure that development of international norms for cybersecurity “become[s] an ingrained part of all meetings of global leadership groups such as the G-7, G-20, ASEAN, APEC, and in any technology-focused EU-US interactions.”

• “Modernizing IT in government … The scorecard for U.S. government IT is not pretty. Reviews have moved the government into the ‘mediocre’ category, at best. This must change, and quickly.”

They line up in some measure with the priorities outlined by U.S. Chief Information Security Officer Greg Touhill, who spoke about his forthcoming plans at the AFCEA Cyber Summit in DC this month.

He too stressed the importance of human capital issues, and has been working with the Department of Education to help build the future cybersecurity workforce.

But the other measures he outlined — including “new capabilities that have not been there before; such as actively looking with hunt teams through .gov for hackers,  … improv[ing] our pen testing, … incorporating software assurance and perhaps a bug bounty across the federal government” — don’t appear anywhere in the ISACA list.