Cybersecurity legislation proposed by the Obama administration would create counter-incentives against better private sector cybersecurity, Larry Clinton, president of the Internet Security Alliance, told a June 24 House panel.

The White House proposal would set up a framework of performance standards and measures against which private sector operators of critical infrastructure would be regularly audited, with the audit results--or high level summaries of them--disclosed to the public.

But, the proposal runs counter to the way cybersecurity threats have recently evolved, Clinton told the House Homeland Security subcommittee on cybersecurity, infrastructure protection and security technologies.   

Modern threats, Clinton said, are stealthy and sometimes even plug the security holes that permitted their infestation. "They go into your system and they hide," he said. That means that companies need incentives to look for that kind of malware--which means not creating a disincentive in the form of publically-published audit results.

"If the corporation knows that...the harder they look for a problem, the more likely they are going to be named and shamed for finding it, we've created exactly the wrong incentives," he said.

Clinton said the government should take on a role that promotes greater information sharing, partly in order to spur creation of a cyber threat insurance industry. Right now the cyber threat insurance industry is hobbled because it doesn't have access to actuarial data, since companies keep cyber attack data private.  

Clinton--whose alliance represents, among other companies, Boeing, Dell-Perot, Lockheed Martin, Northrop Grumman, VeriSign and Verizon--also recommended a federal revolving fund to stimulate growth of cyber threat insurance.

"Right now the federal government is carrying all the risk of a major cyber event," he said. Were a cyber attack to bring down a major part of the infrastructure, Congress would end up paying for the economic damage, he added.

During the hearing, Melissa Hathaway, president of Hathaway Global Strategies, criticized the White House proposal for the regulatory role over private sector cybersecurity it could create for the Homeland Security Department.

"Inserting DHS into a regulatory role in this context dilutes its operational and policy responsibilities and likely distracts from the nation's security posture," she said.

For more:
- go to the hearing webpage (webcast and prepared statements available)

Related Articles:
Federal government has dot-secure Internet domain under consideration 
Reitinger: Cybersecurity bill applies 'light touch' to private sector regulation 
House subcommittee criticizes White House cybersecurity proposal