By Wayne Rash
Despite all of the gnashing of teeth and rending of garments regarding organized security threats in the past year, there wasn't any substantive movement in the U.S. government until recently, when Senator John Edwards (D-NC) introduced the Cyberterrorism Preparedness Act of 2002 (S. 1900). The Act aims to create a set of computer security best practices for the government.
This bill, if enacted, would direct the National Institute of Standards and Technology to oversee a study on computer security best practices, which would focus on ways to help prevent cyberterrorism. After the study, a set of best practices would be developed. Then there would be a recommendation on whether contractors and grantees (people and companies that get money from the government) would be required to follow the best practices. Finally, several models would be developed, and eventually, the best model would be implemented.
So if all of this is theoretical, why should you care? Because if this bill passes—and there's a good chance it will—you can assume that you'll have to follow the prescribed best practices. Your company might not do business with the government directly, but you may work with another one that does. As a result, you could find yourself being required to use a government-approved firewall or intrusion detection system or maybe an improved network management system. You could also be required to beef up your authentication, both of users and partners, perhaps through the use of smart cards or biometric devices to ensure that the data you're trading with your business partners is untainted by the touch of terrorists.
There will probably be auditing and reporting requirements to demonstrate compliance, so it's likely that there will be more paperwork—perhaps a lot of it. It's unlikely that the U.S. government will go to the trouble to protect itself against cyberterrorism without requiring the same protection for companies with which it does business. To do so would simply mean that the bad guys could attack government contractors as a way to break in to the government computers and networks.
In the immediate future, this bill won't affect you much. Assuming it passes, there will be about six months while the study takes place, the preliminary best practices announced, and the implementations modeled in several locations in the government. Only when the final form of those practices shakes out are you likely to be affected.
So here's your heads-up. While you wait for the final word, you'll have the opportunity to track the bill's progress and perhaps voice your thoughts to congressional representatives. As you're aware, many businesses can influence impending regulations most effectively by working with their members of Congress and their senators. But the bottom line is to make sure the Cyberterrorism Preparedness Act of 2002 stays on your radar screen. You can't afford to be oblivious to coming regulations until they drop out of the sky and land on you.