Comment Articles

Jail threat might tighten cybersecurity

Charles Cooper CNET News

Published: 24 Dec 2003 09:55 GMT

After a run of corporate scandals at the likes of Enron, WorldCom, Arthur Andersen, Tyco and others, Congress enacted the so-called Sarbanes-Oxley bill in 2002.

The intent was to remedy the US accounting system, which had allowed corrupt managers to take advantage of gaping holes. The new law now holds senior executives and directors of public companies responsible for the preparation and approval of their business's financial statements.

Although the final verdict on the law won't be in for several years, this much is clear: If a chief executive gets caught with his or her hand in the till, Sarbanes-Oxley makes sure that there's a comfy jail cell waiting in a federal penitentiary somewhere.

There's a lesson here for the debate over how best to proceed on cybersecurity: whatever its imperfections, the lesson of Sarbanes-Oxley is that if you want results, scare the hell out of 'em.

You can count on companies to talk about implementing cybersecurity guidelines and best practices until they're blue in the face. Truth be told, however, you won't see major changes until the law holds actual bodies to the fire.

There's no doubt that finding the right balance between coercion and voluntary compliance is a balancing act. But the last thing anyone should want is a repeat of the HIPAA fiasco. The Health Insurance Portability and Accountability Act of 1996 was ostensibly designed to protect workers' health coverage. Unfortunately, it doesn't have real teeth, because there's no auditing by the government or by independent third parties. (The Department of Health and Human Services will only audit a company in response to specific complaints.) While some companies are working very hard at complying, others are not -- and not getting punished.

No single set of best practices will apply to every company. Still, there's no reason that the software business can't adhere to a measurable benchmark. After all, the federal government regularly conducts audits based on set standards. That makes it clear to everyone what the game is. Why can't something similar apply here?