Last Thursday, the Securities and Exchange Commission issued guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. While I am still pondering the efficacy of the SEC guidelines and will write more on that topic later this week, the key issue is that companies should "disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky."
As analysis pours in on the good and the bad of the guidelines, there has been less discussion on another item that is a by-product of the issuance -- a movement within the federal government for clearer divisions of labor between agencies on cybersecurity. The SEC is carving out a jurisdictional responsibility for itself with the guidance, requiring public companies, regardless of their type of business, to evaluate the material risk of cybersecurity. In recent months, we have seen the Federal Trade Commission stake out data breach notice and privacy as its territory, while the Commerce Department has issued a report on proposed voluntary codes of conduct for the Internet and Information Innovation Sector (I3S).
What does this mean? It means that the efforts after the 9/11 terrorist attacks to merge the majority of cyber efforts in the federal government from the FBI, Commerce, GSA, and others under one roof in the Homeland Security Department has transformed itself. DHS is not focused on being the uber-cybersecurity agency but, working with and in competition with the Defense Department, on being the agency that works to secure critical infrastructure (only) and the government's own systems.
In today's networked, interdependent, and interconnected world, the model of one government entity for all cyber, whether in a coordinating or leading role, makes little sense. The same entity that should be protecting the smart grid and nuclear systems should not be worried about whether little Joey's identifying information was lifted in a hack on Sony's Networks. Yes, there is intelligence that needs to be examined to determine trends in threats and vulnerabilities but that is a job in and of itself.
It is largely anticipated that the Obama administration will announce this week or next the successor to Phil Reitinger as the deputy undersecretary for cybersecurity at the Homeland Security Department. Given the clearer lines being drawn by agencies, I would not be surprised to see this person emerge from the Defense Department/contracting space, as opposed to the high-tech/Internet world of the past several leaders on cybersecurity within the government. Choosing such a person would make the path forward for the government, as it is envisioned by the current leaders, even clearer.