The US Senate is hot on the trail of security aboard cruise ships. Security Management reports:
Because cruise ships operate in international waters or the jurisdictions of foreign countries, they are required to report crimes to the FBI or the U.S. Coast Guard. However, because the ship might be miles from the closest federal officials, it often takes days for the FBI to arrive to investigate a scene. In that time, the investigation can be undermined. Witnesses noted that evidence can disappear, victims can be intimidated, and suspects can be coached. Also, the cruise industry is not required to disclose crime statistics, making it difficult to assess the rate of shipboard incidents
That sounds like what most IT environments used to be like before laws like California's SB1386 were passed.
Just last year I had to argue with company executives about an investigation after a telecommunications breach where they wanted to destroy evidence. They had "back-to-business" fever and wanted to move on in life as quickly as possible. Without outside governance, it can be almost impossible to get a person driven by sales numbers and pride to stop and dwell on a fault or flaw, especially when harm is externalized.
Sen. John Kerry (D-MA), the subcommittee chairman, noted that the cruise industry lacks mandatory, standardized procedures to prevent and respond to criminal acts on board ships. Terry Dale, president and CEO of Cruise Lines International Association, stated that mandatory procedures were unnecessary because cruise lines implemented voluntary processes to protect passengers.
Where have I heard that before? This is the "trust us" line of reasoning, which is based on an toothless promise. What penalty exists if voluntary measures, even when documented clearly, are not followed? None, of course, because there is no penalty mechanism in volunteerism without governance. A more logical response from Dale (well, from a security professional perspective) would be that governance is welcome because he understands the safety and security needs of customers and is ready to address their concerns directly and with accountability.
The problem with hiding behind toothless volunteerism and not taking a more proactive approach to regulation is that a law could be passed anyway, but without collaborative input. This just wastes everyone's time.
Bill S.3204 is now under consideration with numerous security measures:
…peep holes, security latches on cabin doors, and CCTV. The bill would require that all ships have crew members aboard who are trained in crime scene investigation. Cruise lines would be required to report all incidents of criminal activity to the Coast Guard, who would then make that information available to the public via the Internet. Under the bill, members of the Coast Guard would be dispatched to cruise ships to ensure that they comply with the law.
Sounds reasonable to me, although it raises the issue of who will be responsible for the privacy of passengers under the surveillance system. Can you trust the same crew already under suspicion of unethical and criminal behavior. Lets hope screening is used and privacy controls are in place to prevent new information security violations from adding fuel to the fire.