A presidential executive order that was signed Tuesday requires the establishment of security standards for certain “critical industries’” computer networks within one year. The standards are said to be voluntary, yet “it left open the possibility that regulators may use their authority to enforce the standards.” It leaves me scratching my head and wondering how it’s voluntary if it’s going to be enforced by the government.
I also have to wonder about the provision calling for “greater sharing of cyberthreat information by the federal government with the private sector.” That sounds great. But – and you can call me a cynic – is it really going to be about the government sharing its information, or about requiring private companies to share their information with the government?
A former DHS official says “ … most private sector actors will choose not to participate.” When that happens, will this “voluntary” program become mandatory? How long until it’s applied to all networks and not just those in “critical industries?” More to the point as far as IT pros are concerned, how long until network administrators are required to meet government-mandated standards, as well, and be licensed in order to practice their profession? Think it can’t happen? It certainly appears to me that we’re headed in that direction.