Greetings from the Australian National University in Canberra, where Professor Fred Cate from Indiana University is speaking on "Taming cyberspace: Applying international law in a new domain" as part of the part of the conference "Securing our Future in Cyberspace". He claimed that on-line systems are not secure. He challenged the audience to name one secure system and no one took up the challenge. The room is full of people from Australian government intelligence agencies, who hopefully have such systems but can't say. ;-)
Professor Cate claimed that 85% to 90% of break-ins to systems are due to human failings, due to phishing or poor passwords, not highly technical attacks. He also claimed that outside banks and a few other categories, there is no legal obligation to secure systems. His conclusion was "We are not taking cyber-security seriously any more", saying US investment in the area is small compared to other security matters. Professor Cate criticized the US Government for only having a "Cybersecurity Coordinator" (currently Michael Daniel).
Professor Cate claimed there were not regulations requiring organizations to have good security. However, he mentioned earlier on "governance". Australia developed the standard "Corporate Governance of Information and Communication Technology" (AS8015), later adopted internationally as ISO/IEC 38500 in 2008. These standards are not mandated by law. However, there are corporate governance laws. I suggest that the standards could be applied though case law, or could be explicitly made mandatory through legislation.
Professor Cate claimed that there was no one in the US Government to shut down a government server which was sending out computer viruses. With the greatest respect to the professor, I do not believe this to be true. Any IT professional with a server under their control has an ethical and legal obligation to shut it down if it is sending out computer viruses (unless of course it is part of an authorized security operation).
Professor Cate asked if any government had a system to deal with a widespread emergency without the Internet. A quick search shows they do. The US military has the Minimum Essential Emergency Communications Network (MEECN) and the Australian Defence Force and state police forces have HF radio networks. There are also Australian outback HF networks.
An interesting comment by Professor Catewas that insurance companies are effectively setting cyber security standards in the USA.
There are an extensive set of papers on Cybersecurity by Professor Cate.