Putnam: Tighten cybersecurity or face legislation
- By Susan M. Menke
- Nov 24, 2003
'The next major worm could cause a nuclear disaster or a flood, and the legislation that would get passed then would not be what industry would like.'
'Rep. Adam Putnam
J. Adam Fenster
The White House's year-old National Strategy to Secure Cyberspace is 'useful as a paperweight,' but that's about all.
That's the contention of James Lewis of Washington's Center for Strategic and International Studies, who spoke last week at a Capitol Hill forum about the government's role in cybersecurity.
Calling the strategy too diffuse, Lewis said critical U.S. infrastructures such as electricity, telecommunications and finance 'are national in scale and need the feds to make sure they will keep working' in the face of terrorism and natural disasters.
Rep. Adam Putnam (R-Fla.) acknowledged that cybersecurity legislation is 'on temporary hold.' But the chairman of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census warned that 'software patching is too difficult and time-consuming. A zero-day exploit is not far around the corner.' He predicted an attack in the not-too-distant future could take down networks worldwide within hours of the discovery of a new software vulnerability.
If the corporate world fails to move faster to strengthen its own safeguards, 'the next major worm could cause a nuclear disaster or a flood, and the legislation that would get passed then would not be what industry would like,' Putnam said.
Putnam said he does not want the Securities and Exchange Commission regulating corporate network security and will support 'the least-intrusive regulation because technologies change.'
But several industry speakers opposed any further government regulation of cybersecurity. Laws such as California's new Database Security Breach Information Act are 'leading to regulatory creep,' said Bruce Heiman, a partner in the Washington law firm of Preston Gates & Ellis.
If Congress does pass cybersecurity legislation, Heiman said, it should include liability protections for companies that comply.
Rep. Zoe Lofgren (D-Calif.) said the government's jawboning approach worked well for the year 2000 changeover but cannot succeed against 'cyberthreats that haven't been invented yet. We may not need legislation, but the government needs to take some action. We can use a carrot-stick incentive to guard the nation's infrastructure.'
She suggested three federal roles short of legislation:
- Persuading Internet service providers and operating system developers to protect their customers better
- Wielding the government's power as a software buyer to influence product design
- Researching network security in partnership with academia and industry.
Other speakers questioned the Homeland Security Department's ability to carry out its cybersecurity mission, saying it has too many vacancies and its new cyberczar, Amit Yoran, is too many layers down from secretary Tom Ridge.
But Greg Garcia, vice president of information security policy at the IT Association of America, said 'DHS' primary role is coordinating collaboration.' Garcia said DHS is 'paying attention to where we can close the gap.' He said next month's cybersecurity summit in Santa Clara, Calif., 'will be a big tent' for everyone with a stake in cybersecurity.
He predicted that industry will learn to view improved security 'as a brand selling point, but we don't yet have a model to put a value on it'something like the Underwriters Laboratory certification or the Good Housekeeping Seal.'