Lewis: Cybersecurity legislation must address critical infrastructure

Four cybersecurity bills are being considered on the Hill this week, but one cybersecurity expert warns that if passed, they wouldn't go far enough.

There has been much contention around whether agencies can or should regulate critical infrastructure, but if it doesn't happen "Congress will have failed," said James Lewis, director of the Center for Strategic and International Studies' technology and public policy program.

"There are some very useful bills in the House and they'll do some good things, but the ultimate test will be: Do you give the government more authority to mandate security at critical infrastructure facilities? If we don't do that this year, an attack is inevitable," said Lewis during an April 24 hearing of the House Homeland Security subcommittee on oversight, investigations and management.

Lewis said that those who argue that the internet can heal itself or that voluntary, aggregate information sharing is adequate are naive.

"This was tried in the Clinton administration. It did not work then, it will not work now, it will not work in the future when our opponents are more advanced and we are more dependent on cyberspace," he said.

Stephen Flynn, co-director of the George J. Kostas Research Institute for Homeland Security at Northeastern University, agreed saying, "at the end of the day, purely voluntary approaches will not get us where we need to be."

Information sharing is entirely reactive, noted McAfee Chief Technology Officer Stuart McClure. More needs to be done to ensure standards for security controls, he said.

Just last week, the House Homeland Security committee changed its subcommittee-approved cybersecurity bill, removing the requirements that the Homeland Security Department work with operators of critical infrastructure to mitigate risks through market-based incentives and possibly through regulation.

Despite these changes the bill didn't make the cut to be considered on the House floor this week.  

For more:
- visit the hearing page (includes prepared testimony and archived webcast)

Related Articles:
Big data and cyber-physical systems could become federal priorities
Continuous monitoring bill would cost $710M to implement says CBO
Four cybersecurity bills set for House consideration
House Homeland Security guts own cybersecurity bill in bid to remain relevant