Legal, policy frameworks can hamper cybersecurity
Tools are available to counter many of the threats to today’s digital infrastructure, but a legal and policy framework created for an analog world often hampers their implementation, a panel of industry representatives told a House panel.
There was some disagreement among the panelists testifying Feb. 8 before subcommittee of the House Energy and Commerce Committee on what the role of government should be in securing critical infrastructure, but all were wary of additional regulation.
GOP cybersecurity task force: Cooperate, don’t regulate
White House's cyber plan is weak on enforcement
“The biggest obstacles are not technology; they are economic,” said Larry Clinton, president of the Internet Security Alliance. The cost and complexity of many solutions put them out of reach of many small organizations, and the added burden of regulatory compliance worsens the problem, he added.
Clinton said the government needs to get its own house in order first and called for a mix of incentives and regulation to drive better security in the private sector. The mix should be light on regulation, he said, relying on existing regulatory structures without imposing new requirements. Incentives would include liability protections and removal of legal barriers to information sharing, as well as favored status in government procurement for companies that do a good job on security.
“You’re dealing with the invention of gunpowder,” Clinton said. “Mandating thicker armor isn’t going to work.”
James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy program, also called for government incentives but warned that reliance on voluntary compliance will not work.
“Companies will not provide cybersecurity adequate for national security on a voluntary basis,” Lewis said. “A company may not know of the vulnerability, it may underestimate the threats it faces, and it may have no desire to spend money on security when this does not generate a return on investment.”
Burdensome and prescriptive regulation should be avoided, but a reliance on voluntary or widely accepted business practices will damage national security, he said. Government needs to play a role in incentivizing and coordinating cybersecurity activities. “The central problem for the U.S. will be redefining the role of government.”
The hearing, held by the House Communications and Technology Subcommittee, was part of an ongoing effort by Congress to define the role of government in securing cyberspace and the nation’s critical infrastructure. Technology and threats are evolving at a speed that outpaces the capacity of government regulation to respond. There have been frequent calls to reform cybersecurity policy, both for government networks and for privately owned infrastructure. But oversight is spread across multiple committees and more than 35 cybersecurity bills have been introduced in both houses so far this session, leaving Congress struggling to pick the appropriate path.
Bill Conner, CEO of the security company Entrust, described the operation of the Zeus malware used to intercept banking transactions of small and medium-sized businesses that often do not have adequate security resources.
“The technology exists to deal with it today,” Conner said. “The banks aren’t using it, and the small businesses don’t know what to do.”
Robert Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks, described advances in industry’s collaboration to respond to threats and said the market is delivering security solutions at an unprecedented rate. But “unfortunately, the adoption of available solutions has not kept pace.”
Dix said “basic blocking and tackling,” such as good computer hygiene, could prevent 80 percent of exploits.
A common theme in the testimony is the need for better information sharing.
“We have the ultimate weapon” for countering threats, said Phyllis Schneck, chief technology officer for McAfee’s global private-sector division. “We own the infrastructure that operates at the speed of light.” But the operators often do not have the information needed to respond.
Despite increased efforts at collaboration through industry associations and industry-specific information-sharing and analysis centers, there are legal barriers to sharing real-time information among competing companies, and companies are hesitant to share information with government because of fears of liability and concerns about public exposure of sensitive information.
One approach that found favor with most of the panel is the use of service providers to provide security and remediation for client computers and mobile devices as more services move to a cloud environment.
“Computing is becoming a service,” Lewis said, shifting focus away from the end device and toward service providers. The challenge is establishing a legal framework that allows service providers to intervene with and share information about customers and a regulatory framework that encourages it without being burdensome. “The best alternative to both prescriptive regulation and inadequate voluntary practices is a pragmatic, standards-based approach that sets goals and then lets companies decide how best to achieve them,” Lewis said.