The Daily Caller logo
Opinion

Cyber-security legislation: a view from Silicon Valley

Rob Rachwald Contributor
Font Size:

A new bill aimed at protecting citizens’ online personal information by holding companies accountable for protecting that information is making its way through the Senate. The Personal Data Protection and Breach Accountability Act, sponsored by Senator Richard Blumenthal, would enable the Justice Department to fine businesses with more than 10,000 customers $5,000 per violation per day, with a maximum of $20 million per violation. With all of the recent high-profile cyber-attacks, such a proposal is not only timely, but arguably overdue. Unfortunately, this fine-based, punitive approach will not succeed. To make a difference, legislation should also be prescriptive.

First, let’s recognize that cyber security is a different animal. To have an impact, any legislation needs to consider that hackers are well-financed, well-organized innovators. In fact, to fund their activities, hackers have created mature online exchanges that resemble eBay in structure, except their focus is selling personal and corporate data. Just a few months ago, a hacker offered to sell full administrative rights to government, military and educational websites for $499. So, for the price of an iPad, you could have purchased the ability to control a U.S. Army website.

And they’re remarkably well organized. Lulzsec, a hacker team comprised of about eight individuals, proved very effective, hacking the FBI, U.S. Senate and CIA websites. How did they learn the trade? Like many hackers, to stay well trained and organized, they leveraged online forums and chat rooms. These websites exemplify the spirit of web-based collaboration and education, offering a rich menu of tutorials, advice and technology designed to steal data. Analysis of one forum that has 250,000 registered users showed that approximately 25% of discussions were focused on hacking tutorials and techniques — indicating a consistent supply of expertise.

By contrast, the good guys are on a budget — often very tight ones. Whereas hackers live to hack, most companies are retailers, banks, whatever first and security experts a distant second, third or fourth. Slapping them with fines will only encourage gaming the system, like someone speeding on a highway and slowing down if they think the highway patrol is near. In the case of security, companies could evaluate the odds of a breach and the cost of security versus the cost of a fine. To avoid this dynamic requires a prescriptive approach.

The good news is that a template already exists: The credit card industry regulated itself and created the payment card industry data security standard (PCI-DSS). PCI forced companies transacting credit cards to implement the basic elements of data security that were summarized in 12 specific steps. The impact? A report from Verizon highlighted that 88% (!) of companies breached in 2010 were out of compliance with PCI. It’s a system that’s working.

To be effective, any legislation should be prescriptive and strongly consider the PCI model. PCI can also be a model for legislative innovation. Ohio and Minnesota have both adopted their versions of PCI as models to protect their citizens’ sensitive information. Another variation surfaced recently when the state of Nevada, beginning on January 1, 2010, became the first state to mandate PCI-DSS compliance for businesses that accept credit cards. In other words, any data collector doing business in Nevada must comply with the version of the PCI-DSS currently in force. The adoption of PCI-DSS by Nevada combines the best of what the private and public sector do well — the flexibility and innovation of a private-industry standard with the enforceability and visibility of state action.

When the California legislature attempted to pass sweeping new legislation placing a significant burden on retailers for the cost of data breaches, Governor Arnold Schwarzenegger vetoed the bill because of its high cost on small businesses, unclear language and potential conflicts with PCI-DSS. Future legislation risks creating similar problems and interfering with a private industry standard that rapidly adapts to the changing needs of data security.

But there’s more. Any legislation must also consider the role of law enforcement. Hackers are criminals who should be arrested. Stopping them requires deploying law enforcement in creative ways. For example, in the banking industry, financial institutions have pooled resources to track information on fraudsters. Their database is known as the Early Warning System. What if a similar database existed for cyber attacks that chronicled malicious IP addresses? A simple step like this could help bring down cyber crime dramatically. For example, when Microsoft shared information about known spam servers in 2010, spam volume dropped 30% overnight.

Security isn’t free and isn’t a profit center. However, many industries made the decision to digitize and transact assets with the objective to improve business. Now, legislators have the responsibility to protect data from hackers and insiders who threaten brand equity and shareholder value when data is compromised. This is merely the new business reality in the digital age and it requires a strong, focused and innovative approach.

Rob Rachwald is a data security expert. He is the director of security strategy at Imperva, a Silicon Valley-based company.

PREMIUM ARTICLE: Subscribe To Keep Reading
Sign up

By subscribing you agree to our Terms of Use

 You're signed up!

Sign up

By subscribing you agree to our Terms of Use

 You're signed up!
Sign up

By subscribing you agree to our Terms of Use

 You're signed up!

Sign up

By subscribing you agree to our Terms of Use

You're signed up!
Sign up

By subscribing you agree to our Terms of Use

 You're signed up!

Sign Up

By subscribing you agree to our Terms of Use

 You're signed up!
Sign up

By subscribing you agree to our Terms of Use

 You're signed up!
Sign up

By subscribing you agree to our Terms of Use

You're signed up!
BENEFITS READERS PASS PATRIOTS FOUNDERS
Daily and Breaking Newsletters
Daily Caller Shows
Ad Free Experience
Exclusive Articles
Custom Newsletters
Editor Daily Rundown
Behind The Scenes Coverage
Award Winning Documentaries
Patriot War Room
Patriot Live Chat
Exclusive Events
Gold Membership Card
Tucker Mug

What does Founders Club include?

Tucker Mug and Membership Card
Founders

Readers,

Instead of sucking up to the political and corporate powers that dominate America, The Daily Caller is fighting for you — our readers. We humbly ask you to consider joining us in this fight.

Now that millions of readers are rejecting the increasingly biased and even corrupt corporate media and joining us daily, there are powerful forces lined up to stop us: the old guard of the news media hopes to marginalize us; the big corporate ad agencies want to deprive us of revenue and put us out of business; senators threaten to have our reporters arrested for asking simple questions; the big tech platforms want to limit our ability to communicate with you; and the political party establishments feel threatened by our independence.

We don't complain -- we can't stand complainers -- but we do call it how we see it. We have a fight on our hands, and it's intense. We need your help to smash through the big tech, big media and big government blockade.

We're the insurgent outsiders for a reason: our deep-dive investigations hold the powerful to account. Our original videos undermine their narratives on a daily basis. Even our insistence on having fun infuriates them -- because we won’t bend the knee to political correctness.

One reason we stand apart is because we are not afraid to say we love America. We love her with every fiber of our being, and we think she's worth saving from today’s craziness.

Help us save her.

A second reason we stand out is the sheer number of honest responsible reporters we have helped train. We have trained so many solid reporters that they now hold prominent positions at publications across the political spectrum. Hear a rare reasonable voice at a place like CNN? There’s a good chance they were trained at Daily Caller. Same goes for the numerous Daily Caller alumni dominating the news coverage at outlets such as Fox News, Newsmax, Daily Wire and many others.

Simply put, America needs solid reporters fighting to tell the truth or we will never have honest elections or a fair system. We are working tirelessly to make that happen and we are making a difference.

Since 2010, The Daily Caller has grown immensely. We're in the halls of Congress. We're in the Oval Office. And we're in up to 20 million homes every single month. That's 20 million Americans like you who are impossible to ignore.

We can overcome the forces lined up against all of us. This is an important mission but we can’t do it unless you — the everyday Americans forgotten by the establishment — have our back.

Please consider becoming a Daily Caller Patriot today, and help us keep doing work that holds politicians, corporations and other leaders accountable. Help us thumb our noses at political correctness. Help us train a new generation of news reporters who will actually tell the truth. And help us remind Americans everywhere that there are millions of us who remain clear-eyed about our country's greatness.

In return for membership, Daily Caller Patriots will be able to read The Daily Caller without any of the ads that we have long used to support our mission. We know the ads drive you crazy. They drive us crazy too. But we need revenue to keep the fight going. If you join us, we will cut out the ads for you and put every Lincoln-headed cent we earn into amplifying our voice, training even more solid reporters, and giving you the ad-free experience and lightning fast website you deserve.

Patriots will also be eligible for Patriots Only content, newsletters, chats and live events with our reporters and editors. It's simple: welcome us into your lives, and we'll welcome you into ours.

We can save America together.

Become a Daily Caller Patriot today.

Signature

Neil Patel