CYBEREYE

Memo to Congress: On cybersecurity, regulation isn't a dirty word

Not surprisingly, the 12 House Republicans on the GOP cybersecurity task force all were on the same page when they presented their recommendations for security legislation in the 112th Congress. To a man, they agreed that the issue is urgent, but emphasized that any legislation must consider not only the cost to taxpayers but also to industry, which owns and operates most of our critical infrastructure.

“Industry should not be burdened by additional regulation,” said Virginia’s Bob Goodlatte.

The recommendations, which called for a menu of voluntary incentives to encourage companies to improve cybersecurity along with limited regulation for those sectors that already are highly regulated, are not all that different from the proposal offered by President Barack Obama in May. He, too, proposed a light touch on regulation, focusing on voluntary compliance rather than enforcement.


Related stories:

GOP cybersecurity task force: Cooperate, don’t regulate

Is cybersecurity about to become a partisan issue?


But at some point both the private sector and government need to have a clear understanding of exactly what is expected of them in securing our nation’s information infrastructure, which everyone agrees is vital to our national and economic security. Government should not be shy about setting those expectations in legislation.

Consider this statistic cited in the task force report: “Some estimate that 85 percent of the threat to our information networks can be eliminated with proper cybersecurity hygiene.”

“We have an obligation to pursue this,” California’s Dan Lundgren said of this low-hanging fruit.

We can quibble about the exact percentage, but time and again the threat trends reported by security researchers have shown that the vast majority of attacks are exploiting known vulnerabilities for which fixes and patches long have been available. This raises the question, if so much of the problem can be solved with good hygiene, why are so many of these people not practicing it?

There are two possible answers: Either they don’t know what to do, or they don’t want to do it. The solution is to tell them what to do and make sure they do it, and that sounds like regulation to me.

No one supposes that regulation is a panacea for cybersecurity. The infrastructure is too dispersed and complex for that. And there is the obvious problem that, once you have eliminated the 85 percent of low-hanging fruit, the remaining 15 percent will become 100 percent of the problem. But getting the easy stuff out of the way will at least buy some additional time and make it easier to address the remaining problems.

Any cybersecurity legislation imposed by Congress should not be draconian. It cannot be technology-specific because, as the task force points out, the technology changes so much faster than Congress can act that regulation could keep up. And, not to be disrespectful, it is obvious that our elected senators and representatives do not know enough about computer science to effectively put technological requirements into law.

But Congress should not be squeamish about establishing firm baselines for the level of security that both government and the private sector must maintain on their systems or about making it clear that they are not just expected but required to follow best practices.

There is a wealth of expertise in both government and the private sector. and organizations such as the National Institute of Standards and Technology and the SANS Institute, to name just two, have been doing great work defining what the standards and best practices should be.

Regulation is not necessarily a bad word. Congress needs to use it effectively for cybersecurity.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Oct 11, 2011 CJ

More regulation probably isn't a good answer - better regulation probably is. Most of the regulation/policy/ processes we've been working with in the Cyber and Acquisition domains are simply too complex, too Byzantine, to be cost effectively implemented...so the industry folks (and even a lot of the government folks) simply ignore them. Some good efforts are being made to refactor and streamline the existing processes - but political interests have started mucking those up rather quickly.

Tue, Oct 11, 2011

There is a difference between legislation (passed by Congress, it becomes law) and regulation (a continuing regime of oversight administered by an executive agency, e.g. FCC, FAA, SEC). Congress may attempt to set cyber security standards in law, create or empower an agency to make and enforce rules and regulations for cyber security, or both. On highly technical matters the government tends to prefer regulation to simple legislation, but so far Congress has (wisely) avoided the temptation to set up an Internet Regulatory Agency, partially because of constituents' concerns about privacy and First Amendment guarantees of free speech, and also because they don't want to kill the goose that lays the golden eggs (deregulated Internet = opportunities for innovation = economic growth/jobs/prosperity). To achieve security objectives without overregulation, is the real trick.

Tue, Oct 11, 2011

DOD, DOD contractors, and federal agencies do not have compliance mandates such as those put out for industry (Sarbanes Oxley, HIPAA, etc.) in which key leaders face jail time for non-compliance and not practicing due care. DOD is great at finding issues, but horrible at resolving them. They talk about the same issues for years. They do not have the budget, staffing or skilled expertise to manage the problem. Contractors are just recently being considered a huge vulnerability since they have some of the most sensitive data being lost to adversaries. Cyber career fields should be expanding, but instead they are being seriously downsized while involved with 3 conflicts. On top of that, our aviation is now unmanned and as of newspaper headlines yesterday had been infected with cyber malware. Imagine that, a drone being hacked and turned against us. Cyber is too important to look the other way and downsize the active and reserve career field. Nations like China do not have to invest billions and even trillions in research and development when they can just steal the technology for free.

Tue, Oct 11, 2011

ummmm...we've had pounds of cyber security legislation since at least the 1970s. so....you are climbing onboard with the crowd that argues misconfiguration lies at the heart of most current attacks. fair enough. that said: we all know attribution is a key part of the solution space...once the cost of attacks rise the frequency will fall (not to mention the credibility of the laws/regs on the books). but government has conflicting objectives here (privacy). the age old problem of piorities; the law of unintended consequences consistently rears its head when government regulates - how do we avoid this?; the government itself doesn't hold internal violators of cyber security policy accountable...shouldn't it be setting the example?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above