What federal officials want from cybersecurity legislation

Tools

A Federal Communications Commission official touted March 28 the voluntary and industry-based best practices formulated by the communications security, reliability and interoperability council, or CSRIC--triggering a deeper conversation on how heavy-handed cybersecurity legislation should be overall.

With a slew of cybersecurity legislation moving through Congress, several legislators at a House Energy and Commerce subcommittee on communications and technology hearing voiced their opposition to cybersecurity legislation that they say could lead to mandates from the Homeland Security Department and regulation of critical infrastructure.

Nine internet service providers, covering 80 percent of American internet usage, have voluntarily agreed to implement CSRIC standards, said James Barnett, chief of the FCC's public safety and homeland security bureau, during the hearing.

While the CSRIC model allows industry to self-impose and voluntarily adopt best practices, it also requires FCC to take the next step in setting metrics to determine if ISPs' measures are having the desired effect, said Barnett. As for scaling this model broadly to cybersecurity legislation, Bob Hutchinson, senior manager for information security sciences at Sandia National Laboratories, said he agrees that cybersecurity standards could be voluntary.

"One thing we need, though, is better experimentation around what constitutes best practices, rather than just a declaration," said Hutchinson.

"Take the lightest-weight approach first," said Greg Shannon, chief scientist of the CERT program at Carnegie Mellon University's software engineering institute. "If voluntary compliance works, than that is excellent. And it would be great if we can have metrics that confirm this."

But Roberta Stempfley, deputy assistant secretary of cybersecurity at the Department of Homeland Security, disagreed with the other panelists and said the actual standard-setting should come from government.

"Homeland Security's responsibilities are building standards across critical infrastructure and working with the sector experts in each sector for standards for cybersecurity," she said. She added that conversations with industry will help DHS "identify where we need to put in place best practices and rules or other mechanisms for compliance."

Hutchinson urged legislators to keep in mind the relationships already in place when crafting legislation, such as the relationship between DHS and the National Security Agency.

"Anything that can harm that relationship, I think would be hurtful to the government," said Hutchinson. "That relationship between NSA and applying classified approaches to this otherwise unclassified problem I think is extraordinarily valuable."

Hutchinson suggested that current national cybersecurity strategies should change direction in several key areas. For example, cybersecurity efforts in recent years have "almost exclusively" focused on data theft--a trend only accelerated in the aftermath of the WikiLeaks intelligence theft, said Hutchinson.

"Our best security analysts are being taught to focus their attention on indications that sensitive data is leaving our networks headed into enemy hands...our nation has diverted too many resources away from an equally, if not more important issue: malicious data modification," said Hutchinson.  

"[My] fear is that an attacker will alter our data and affect our decision processes. This form of attack has not only economic consequences, but can also impact public safety and confidence," he said.

In addition to focusing cybersecurity efforts on data integrity, Hutchinson said the United States has a profound shortage of cybersecurity professionals, which could best be addressed through apprenticeship-type programs rather than formal education and certifications. As for data-sharing efforts, Hutchinson said they're good in theory, but do not go far enough.

"Simply sharing data without rules and strategies prevents us from working together effectively," said Hutchinson.

Finally, he said there needs to be more collaboration on the issue of supply chain compromises in new mobile devices and networking components. Supply chain is a shared risk, he said. The government should be sharing lessons learned back with industry so that they can address their supply chain points of compromise.

For more:
- go to the hearing page (prepared testimony and archived webcast available)

Related Articles:
DOE proposes cybersecurity risk management process for electric energy industry
Critical infrastructure companies drowning in cybersecurity guidance, says GAO
CYBERCOM lead touts partnership with DHS