Should Feds Withhold Funds to Compel IT Security?
President Obama knows that, too. Earlier this month, Obama used the power of the federal dollar by threatening to withhold from hospitals Medicare and Medicaid funding if they don't allow visits to anyone a patient wants, including gay partners.
It isn't the first time the federal government tied behavior to funding. In 1974 - to conserve fuel as gasoline prices rocketed as a result of an oil embargo - Congress enacted the National Maximum Speed Law that established a speed limit of 55 miles an hour; states that didn't adopt the 55 mph limit faced the loss of millions upon millions of dollars in federal highway funding.
By threatening to withhold federal funding, IT security could become more than a blip on the radar screens of the nation's mayors, city council members and authority boards.
Can that line of reasoning be extended to IT security? Should the federal government threaten to withhold money intended for municipal and county governments if they don't adopt best IT security practices? Funds withheld needn't be earmarked for IT security or information technology itself; any money the municipalities or authorities would receive from Washington could be restricted.
IT security best practices aren't often on the minds - or agenda - of the officials who run these local and regional entities, a chief information security officer of a regional transportation authority in the Southeast told me in a phone conversation a few weeks back. The CISO sounded exasperated speaking of the difficulty of local governments and regional authorities having to get employees and stakeholders to practice IT hygiene. Municipalities, counties and authorities mostly have skeleton IT security staffs, if any staff at all. The CISO cited a nearby county that recently laid off its CISO, the county's lone IT security professional. The CISO I was speaking with is the only IT security professional working at the transportation authority, down from three.
By threatening to withhold federal funding, especially in these economically challenged times, IT security could become more than a blip on the radar screens of the nation's mayors, city councils and authority boards, the IT security officer suggested.
It's an idea worth exploring. Cybersecurity professionals in and out of government recognize how crucial it is to safeguard key IT systems, and though a growing number of non-IT professionals recognize its importance, including governmental leaders, the financial challenge of keeping local governments functioning more often than not thwarts efforts to implement cybersecurity best practices. Cut off their funding, and best IT security practices will gain notice. How they'll respond, though, is an unanswered question.
Curtailing funding to local governments would probably require Congress to act, and in this current environment, legislation to compel adoption of best IT security practices in exchange for cash is highly unlikely, even for a worthy cause. And, enacting legislation wouldn't guarantee goals will be met.
Remember, the states reduced their speed limits back in the 1970s to continue the flow of federal highway funds into their coffers. Still, most drivers just ignored the lower limit, and continued speeding along the interstates, and Congress eventually allowed states to raise the speed limit. Tying federal funding to adoption of IT security practices, if pursued, would be a bumpy road. Yet, it merits discussion, so fasten your seat belts.