Experts disagree on focus of cybersecurity legislation
Cybersecurity legislation is needed, agreed the panelists speaking Feb. 8 before the House Energy and Commerce subcommittee on communications and technology--but what that legislation should look like was a far more divisive issue.
While the telecommunications industry is doing a good job of securing its infrastructure, other sectors need regulations to force the implementation of best practices, said James Lewis, director and senior fellow in the technology public policy program at the Center for Strategic and International Studies.
"We need to stop saying 'do no harm.' We need to move out. We need to do a coordinated defense," said Lewis.
"I do subscribe to the 'do no harm' theory," said Larry Clinton, president and chief executive of the Internet Security Alliance, in response to Lewis. For some sectors legislation would do more harm than good, he said.
"For industries where the economies of the industry is tied directly to a regulatory format--such as electric utilities, water, transportation etc.--the current regulatory structure can be used to motivate and fund needed cyber advancements," said Clinton.
"For industries where the economics are not inherent to a regulatory structure, adding a new regulatory structure will impede innovation and investment, making us less secure. In these sectors we need to motivate by providing appropriate market incentives to spur greater investment," he said.
Clinton suggested market incentives such as procurement incentives for the defense industrial base or insurance incentives for the banking industry.
An increasingly interconnected society and increasingly mobile society means regulations should focus on the service providers, said Lewis. He sees cyber responsibility shifting away from technology in the hands of the consumer to the telecom companies, internet service providers and cable companies.
"You don't patch your cell phone, you don't program it. Computing is becoming a service and that will change the contours of security and change the requirements for regulation," said Lewis.
Still, hardware is a source of insecurity, but because cyber intrusion through hacking is relatively easy for malicious actors, there isn't a real business case to infect hardware, said Lewis. If cyber defenses improve, however, "they will move to the supply chain," he said.
"A the last count there are 155 supply chain risk management initiatives in the government today. We need to coordinate those issues," said Robert Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks.
Dix said the government continues to buy from untrusted sources because there is a culture "of cost and schedule across departments and agencies where, in order to save 5 cents on a widget, we're buying from low cost, low bid."
"As a result of that we end up in the grey market and then we wonder why we have counterfeit or malicious products in out supply chain," said Dix.
Cyber legislation could begin by focusing on getting government entities secure first, suggested Clinton, then it can look at the private sector. Information sharing and identity management were also mentioned throughout the hearing. Dix urged the subcommittee to continue supporting the National Strategy for Trusted Identities in Cyberspace as a way to improve cybersecurity efforts. Bill Conner, president and chief executive of Entrust, emphasized the need for better information sharing among public and private-sector entities.
"I am tired of it being a one-way communication street to intelligence, and getting nothing in return....it's pretty folly I can only give you information and you can't give me any," said Conner.
- go to the hearing page (prepared testimony available)
DHS authority would increase under Lungren cybersec bill - UPDATED
Panel: Even the best cyber legislation won't fix security problems
NIST calls for two-tier NSTIC governance body
Trojan masquerading as Windows updater targets defense contractors