A federal government looking to expand its regulatory presence in private sector cybersecurity for critical infrastructure but not wanting to exert too heavy a hand could make use of the Chemical Facility Anti-Terrorism Standards model, suggested James Andrew Lewis, while testifying March 17 before a House panel.

Lewis, director of the Center for Strategic and International Studies' technology and public policy program, told the House Homeland Security subcommittee on cybersecurity, infrastructure protection and security technologies that the CFTAS model has proven successful enough to consider extending into cybersecurity,

"It's a little bit of a regulatory authority, it's a little bit of a partnership," Lewis said, characterizing it as a model under which chemical facilities voluntary adopt the security measures of their own choosing but are subject to government effectiveness audits.

The model has its faults, including not dealing well with liability, Lewis added, but it gives "a little more flexibility than a heavy-handed regulatory approach and it does seem to have had some success."

The government should play a larger role in cybersecurity for critical infrastructure, Lewis said, citing vulnerabilities in banks, Google (NASDAQ: GOOG) and electricity producers as evidence that the private sector when left to its own won't, or can't, invest sufficiently in cybersecurity. "It didn't take the Chinese very long to get through [Google's] defenses," he said. "There are some things only government can do."

Also testifying in an earlier session of the hearing was Philip Reitinger, Homeland Security undersecretary for the national protection and programs directorate, who likewise said that government should take a larger role in private sector cybersecurity.

"This is not all about how DHS will come in and solve all your problems for you," Reitinger said. Rather, what's needed a partnership in which "we actually work together to drive outcomes, that we have known roles and responsibilities and we execute on those things," he said.

The DHS National Cyber Security Division has grown from a staff of 38 people at the start of fiscal 2009 to currently about 240--and that number would go to a little more than 400 if the Obama administration's fiscal 2012 request is funded, he said.

Some private sector groups, including TechAmerica, have recently objected to the notion of an increased federal regulatory presence in cybersecurity, releasing a paper calling for creation in incentives and arguing that a federal presence in U.S. networks could drive business away from American shores.

During the hearing, in response to a question from the subcommittee's senior Democrat, Rep. Yvette Clarke (N.Y.), Reitinger also addressed possible consequences to DHS cybersecurity efforts under a proposed continuing resolution that would make a $93.45 million cut in the current fiscal year to the DHS infrastructure protection and information security fund, when compared to the enacted fiscal 2010 amount of $899.4 million.

The cut, he said, would delay the department's ability to deploy Einstein 3, the latest iteration of the governmentwide network intrusion detection system.

That prompted this response from the subcommittee chairman, Rep. Dan Lungren (R-Calif.):

Lungren: Mr. Reitinger, you're not here to testify as to whether or not we should have another month in which we have a $228 billion addition to the debt, are you?

Reitinger: Uh -

Lungren: I didn't think so.

For more:
- go to the hearing webpage (archived webcast and prepared statements available)

Related Articles:
Industry says incentivize cybersecurity, don't regulate it 
New White House cybersecurity strategy needs new ideas, says CSIS commission 
Cybersecurity runs deep in fiscal 2012 budget request 
Latest continuing resolution makes $6 billion in cuts