Security Takes a Holiday

12:05 PM -- Ah, National Cyber Security Awareness Month. It's now in its second year, and I can already see the traditions beginning to build.

Everywhere in America, families are gathering around the firewall to exchange antivirus software. We're hanging our FBI logos on the door to ward off hackers and evil spirits. And if we've been very good all year, the Great White Hat will come while we're sleeping and give us a free penetration test.

Yeah, right.

Now, I don't mean to spoil the holiday spirit here, but I can't help feeling that National Cyber Security Awareness Month demonstrates many of the reasons why government doesn't really get the IT security problem.

The month was proposed last year by the National Cyber Security Alliance -- a consortium of government agencies and some private industry sponsors -- and approved by Congress and the Department of Homeland Security. The idea is to spend a month doing cybersecurity education -- mostly symposiums and conferences, along with some programs in the schools.

The concept isn't bad. Anything that helps consumers become more aware of security issues is helpful. But to me, it seems a bit like having a month of general awareness programs on terrorism or global warming. It makes the politicians look good, but it doesn't really do anything to solve the problem.

First of all, security is not a "national" problem. It's a global problem. Are they celebrating National Cyber Security Awareness Month in Russian spam centers or online gambling institutions in the Caymans? Yeah, they're probably roasting a duck right now.

Second, IT security deserves more than one month. Consumer awareness, law enforcement, meaningful legislation -- these are issues that should be front and center all the time in government and elsewhere. Instead of funding a month to talk about it, shouldn't Congress be funding new law enforcement initiatives to fight it? Maybe they could have spent the time better by rolling up the 14 different pieces of cybercrime legislation currently pending, and finally passing some comprehensive laws against it.

Lastly, maybe government should look at the impact of last year's National Cyber Security Awareness Month. Since last October, at least four major government agencies have experienced data breaches. Incidents of phishing and identity theft are at an all-time high. And some studies indicate that consumers are bigger, fatter targets than ever. (See Hackers Target Consumers.)

Security isn't a month-long awareness issue, like American History Month. It's an issue for quick, decisive action. We're just a month away from the next election -- maybe we should look for government officials who truly understand the problem and want to do something about it.

Of course, for being a Scrooge, I'll probably get a lump of coal in my spam filter.

— Tim Wilson, Site Editor, Dark Reading