Can government and industry solve the security/privacy equation?

A House committee on July 7 wrestled with the question of how to craft cybersecurity legislation that would coordinate government and private-sector efforts while respecting individual privacy and civil liberties.

“There is no security issue facing our nation more pressing than cybersecurity,” Greg Schaffer, acting deputy undersecretary for the Homeland Security Department’s National Protection and Programs Directorate, told the House Government Oversight and Reform Committee. “The status quo is simply unacceptable,” he added.

But although there was general agreement on the need for change, a framework for reconciling conflicting interests remains elusive. DHS lacks clear statutory authority to assist companies, companies are reluctant to share information with government, the business community is leery of government regulation, and everyone is worried about liability for gathering and handling sensitive or personal information.


Related coverage:

The battle begins over government’s role in protecting cyberspace

Cyber challenge: Securing private-sector IT with a minimum of regulation


“There is not a single-solution problem,” said Ari Schwartz, senior Internet policy advisor for the National Institute of Standards and Technology.

The president has proposed cybersecurity legislation clarifying DHS’ role, updating the Federal Information Security Management Act for agencies and proposing a regulatory framework for the nation’s operators of critical infrastructure. The Oversight and Reform committee held what Chairman Darrell Issa (R-Calif.) said was the first in what would be a long series of hearings on turning the proposal into a bill.

The process is likely to be complicated.

“Practically every committee in Congress can claim jurisdiction over cybersecurity,” Issa said. He wants his committee to be the lead in developing the legislation.

Issa was concerned about the lack of input from the private sector in the proposal and worried that it would exacerbate what he called a systemic resistance to information sharing. Schaffer said the proposal was shaped by the administration’s long-standing relationship with business interests, but acknowledged there is uncertainty in the private sector in dealing with his agency.

“They are not sure what they are allowed to share and not allowed to share,” he said.

James A. Baker, associate deputy attorney general, said “the key is clarity,” in dealing with business. “We need language that would clearly authorize the sharing,” providing immunity for voluntarily sharing sensitive information and exemptions from the Freedom of Information Act.

Baker said that current law provides implied immunity for sharing sensitive information with government, but this is subject to judicial decisions. Several telecom companies faced legal challenges when it was learned that they had allowed wholesale monitoring by the government of citizens’ communications in the wake of the Sept. 11, 2001 attacks. Issa said explicit immunity for such activity is needed.

Gathering and sharing this information could threaten individual privacy and civil liberties, however. The proposed legislation would require privacy programs approved by the Justice Department for all DHS cybersecurity programs, and would limit the use of monitoring and collection of information to cybersecurity threats. But all sides remained uncertain about how the law could be shaped to adequately balance privacy with collection and sharing of information.

Another area of dispute is regulation of critical infrastructure operators. The president’s proposal was crafted with a minimum of regulatory authority for DHS. Schwartz said the intent is to create a market-driven culture of security that relies on public disclosure to ensure accountability. But Issa complained that exposure of security plans and perceived vulnerabilities would increase risks and unfairly penalize companies.

The alternative to the proposed stick-and-carrot scheme would be outright regulation of critical infrastructure, which the U.S. Chamber of Commerce has objected to.

“The proposal is crafted to give industry a strong voice in developing the solution set,” Schaffer said. But so far it has not managed to fully satisfy any of the stakeholders.

 

Reader Comments

Sat, Jul 9, 2011 CallMeBc

The present "system" (if you can call it that") consists of highly connected government contractors with little or no reputation for cyber security, like Lockheed Martin for instance, getting lucrative cyber security and general IT contracts despite chronically poor results. You also have the inexcusable, last century use of all-Microsoft products for general office communications and networking: nothing says "We're not really that high tech or that serious about cyber security" more than having a standard Outlook/Exchange/Win Server setup for your internal use. Yeah, use all the 3rd party apps you want, but one breach anywhere and you're screwed. Also, one serious fallout of that Wikileaks business (aside from it helping to stir up the revolutions in the Middle East) is that higher end hackers got drawn in for mostly political reasons (at first at least) and have been finding the pickings pretty easy. And malware like the fake AV's have been growing quicker in sophistication than detection and -- especially -- removal methods and (it says a lot that the single most effective general malware removal tool, which everyone in IT knows, comes not from some multibillion software company, but from a hacker or group of hackers.) In order for the government to get serious about cyber security, they have to first get serious about hiring people with genuine world class expertise, skills, and knowledge outside of the incestuous bubble of incompetent greedheads surrounding the DC area. Fat chance of that ever happening, however.

Fri, Jul 8, 2011 michael aisenberg

Trouble is, as anyone who has read the Constitution or Ben Franklin will tell you: "Security" and Lprivacy" or Civil Liberties are NOT a "zero sum game", or need to be "balanced in the face of terrorism". This has been obfuscated and abused by irresponsible individuala since 9-11. The challange is to Maintain our civil liberties in the face of unprecedented threats to our security. We must not use the tactic of terror as an excuse for denying our conittment of 235 years to the Rule of Law.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above