1 Jun, 2010
Government Take Over of Critical Infrastructure IT Security Management
In a presentation delivered to ISACA in late 2009, titled “The Global Financial Crisis – It’s Your Fault”, I looked at some potential ‘black swan’ type events that we could see in the information security industry; that would change the way we currently operate. In a series of posts, over the next few days or weeks, I will look at some of these in a bit more detail, and consider whether they are in fact contradictory to our current way of operating, or whether they’re just ‘unlikely’. And if simply ‘unlikely’, just how unlikely are they?
The first to consider, is a Government take-over of information and IT security in critical infrastructure. Essentially, a nationalization of the IT infrastructure – or at least the IT security management of that infrastructure – in a range of industries. Such a move would seek to address the fact that much of the benefit of a ‘secure’ critical infrastructure is externalized from the private sector companies who own and run it. That is, investing heavily in the security of our critical infrastructure, benefits the wider community significantly more than it benefits the private sector companies or their shareholders.
Pre-GFC, 'market forces' was pretty comfortably viewed as the way to go for most situations of government - private sector interactions. Industry-led standardization, or ‘light touch’ regulation, was then used in cases where market forces weren’t getting it entirely right. Government-led legislation has been taken up in IT security in a variety of countries and markets around the world, but is still a reasonably new area (as the poster on the wall of one of my lecturers at University said, "the law moves at a pace second only to geology").
Arguably, from least intrusive, to most intrusive, in terms of government intervention, we could look at four (by no means exhaustive) alternatives:
1. Market Forces
2. Industry-Led Standardisation
3. Government-Led Regulation or Legislation
4. Government Functional Takeover
The last of these, until fairly recently, has seemed far fetched and hasn’t been broadly canvassed. But articles like this (http://www.wired.com/threatlevel/2010/05/einstein-on-private-networks) suggest that perhaps we would be foolish to write this off completely as a possibility. While it still seems unlikely that such a functional ‘takeover’ would happen fully, a much tighter inter-relationship, and perhaps technical integration of monitoring systems, looks entirely likely to develop over coming years.
This article is tagged in these categories
Legislation,
Regulation,
Standards,
Government Policy