According to ESG research, 66% of enterprise security professionals believe that the U.S. federal government should be doing significantly more or somewhat more to help the private sector cope with the current cybersecurity situation and threat landscape.
Okay, but what exactly should the feds be doing? Here is some additional research on enterprise security professionals’ suggestions for the U.S. federal government along with my editorial comments:
- 45% say the U.S. federal government should create better ways to share federal security information with the private sector. (Translation: Fix, pass, and operationalize CISPA as soon as possible.)
- 42% say the U.S. federal government should provide funding for advanced research and development around cybersecurity and APTs/zero-day malware. (DARPA is doing some work here and I’m sure DoD and NSA are funding some University programs, but in my humble opinion, the U.S. should be doing more with academia and the information security industry.)
- 41% say the U.S. federal government should enact more stringent national cybersecurity legislation along the lines of PCI. (This is the intent of the Cybersecurity Act of 2013 (S.1353) but it’s unlikely to pass anytime soon. Oh well.)
- 39% say the U.S. federal government should provide incentives (i.e., tax breaks, matching funds, etc.) to organizations that improve cybersecurity. (Stay tuned on this one – we may see some incentives announced after the release of the federal cybersecurity framework in February 2014.)
- 38% say the U.S. federal government should provide funding for cybersecurity professional training and education. (Great idea and sorely needed. Just look at the number of cybersecurity openings there are in Washington alone! Sadly, I have no progress to report here.)
- 37% say the U.S. federal government should coordinate an APT/zero-day malware taskforce composed of government security experts, security researchers, and security technology vendors. (Not sure about this one as we’ve done enough jawboning on this issue. If a taskforce is convened however, I am happy to contribute and I volunteer my knowledgeable friend Richard Stiennon to participate as well.)
- 31% say the U.S. federal government should enact legislation with high fines for data breaches as a punitive measure to encourage organizations to invest in more cybersecurity defenses. (Ain’t gonna happen. Count on the feds using carrots but not sticks.)
- 27% say the U.S. federal government should use diplomatic means to address APTs/zero-day malware in the International community. (Another good idea that should pursued but the good old U.S. of A. doesn’t have much street cred in this area thanks to Eddie Snowden and the N.S. of A.)
- 26% say the U.S. federal government should adopt and fund a public service campaign around cybersecurity and APT education. (I’ve been advocating a “Smokey the Bear” type campaign for years. This is the kind of program that should be a no-brainer for the feds.)
Cybersecurity professional are talking – is Washington listening?