Memo to Congress: On cybersecurity, regulation isn't a dirty word
Not surprisingly, the 12 House Republicans on the GOP cybersecurity task force all were on the same page when they presented their recommendations for security legislation in the 112th Congress. To a man, they agreed that the issue is urgent, but emphasized that any legislation must consider not only the cost to taxpayers but also to industry, which owns and operates most of our critical infrastructure.
“Industry should not be burdened by additional regulation,” said Virginia’s Bob Goodlatte.
The recommendations, which called for a menu of voluntary incentives to encourage companies to improve cybersecurity along with limited regulation for those sectors that already are highly regulated, are not all that different from the proposal offered by President Barack Obama in May. He, too, proposed a light touch on regulation, focusing on voluntary compliance rather than enforcement.
GOP cybersecurity task force: Cooperate, don’t regulate
Is cybersecurity about to become a partisan issue?
But at some point both the private sector and government need to have a clear understanding of exactly what is expected of them in securing our nation’s information infrastructure, which everyone agrees is vital to our national and economic security. Government should not be shy about setting those expectations in legislation.
Consider this statistic cited in the task force report: “Some estimate that 85 percent of the threat to our information networks can be eliminated with proper cybersecurity hygiene.”
“We have an obligation to pursue this,” California’s Dan Lundgren said of this low-hanging fruit.
We can quibble about the exact percentage, but time and again the threat trends reported by security researchers have shown that the vast majority of attacks are exploiting known vulnerabilities for which fixes and patches long have been available. This raises the question, if so much of the problem can be solved with good hygiene, why are so many of these people not practicing it?
There are two possible answers: Either they don’t know what to do, or they don’t want to do it. The solution is to tell them what to do and make sure they do it, and that sounds like regulation to me.
No one supposes that regulation is a panacea for cybersecurity. The infrastructure is too dispersed and complex for that. And there is the obvious problem that, once you have eliminated the 85 percent of low-hanging fruit, the remaining 15 percent will become 100 percent of the problem. But getting the easy stuff out of the way will at least buy some additional time and make it easier to address the remaining problems.
Any cybersecurity legislation imposed by Congress should not be draconian. It cannot be technology-specific because, as the task force points out, the technology changes so much faster than Congress can act that regulation could keep up. And, not to be disrespectful, it is obvious that our elected senators and representatives do not know enough about computer science to effectively put technological requirements into law.
But Congress should not be squeamish about establishing firm baselines for the level of security that both government and the private sector must maintain on their systems or about making it clear that they are not just expected but required to follow best practices.
There is a wealth of expertise in both government and the private sector. and organizations such as the National Institute of Standards and Technology and the SANS Institute, to name just two, have been doing great work defining what the standards and best practices should be.
Regulation is not necessarily a bad word. Congress needs to use it effectively for cybersecurity.