First, let’s acknowledge the obvious: Cyber-attacks are accelerating and having a real economic impact. Just look at recent headlines, such as “Sony hack unprecedented” or “Home Depot cyber breach costs at $33 million and counting.” In the last year, Anthem, Target, Premera Blue Cross, and many others have endured large and costly attacks.
What is less obvious is what Washington will do to help cure our cyber-attack epidemic. Like Y2K a generation ago, the potential consequences of the problem are so vast that a coordinated national solution is needed. But even with mounting threats, the urge to do something should never be stronger than the urge to do something intelligent.
China’s proposed cybersecurity measures demonstrate what not to do. New rules would require all Chinese banks to use information technology that is “secure and controllable.” To satisfy this, banks doing business in China would have to use Chinese-developed technologies, intellectual property, and encryption algorithms.
An additional, proposed counterterrorism measure would extend this approach to their entire economy. While seemingly imposing stronger safeguards, these moves would be highly counterproductive. Chinese firms would lose access to the world’s best technology, including the best security technology.
Imposing top-down government security standards may sound like a reasonable way to ensure consistent levels of protection and guard against foreign cyber-spying. But government technology mandates don’t work, especially in the fast-moving world of information security. Any such mandate would be obsolete almost as soon as it was adopted. Moreover, a focus on complying with government rules inhibits the key mindset policymakers must encourage — a willingness to experiment and innovate. Instead, companies will focus all security activity on checking a compliance box, rather than remaining alert and vigilant to the next threat.
Thankfully, smarter ways to address cybersecurity that do not involve government-prescribed solutions are being advanced in Washington.
One way is for the government to compile and encourage a list of best practices and standards. Just over a year ago, the National Institute of Standards and Technology (NIST) released its Framework for Critical Infrastructure Cybersecurity. The basic insight is that organizations must have the knowledge and the incentive to manage their own cybersecurity risks. The NIST report does not mandate a “one-size-fits-all” approach, but instead assembles the “standards, guidelines, and practices that are effective in industry today.” It encourages companies to adapt these practices to their own unique risks and risk tolerances. This same public-private partnership approach was on display at the recent White House Summit on Cybersecurity and Consumer Protection.
Another step in the right direction is for the government to ensure companies have timely information about the latest threats so that they can take protective action. As House Homeland Security Committee Chairman Michael McCaul (R-TX) noted recently: “Between the government and the private sector, we have the information needed to limit cyber threats and stop fresh attacks. But we are not sharing that information. Critical information is not disclosed efficiently….”
There is one very significant reason why: for information sharing to work, private companies must have liability protections so the threat of lawsuits or regulatory actions doesn’t cause them to delay or avoid disclosure. Effective cybersecurity legislation must ensure that threat information voluntarily shared or received by a private entity will not be used as the basis for private or government lawsuits or regulatory actions, or be subject to Freedom of Information Act requests.
In a recent positive step, the president in January recommended a package of cyber security measures, including enabling cybersecurity information sharing. Then the Senate Intelligence Committee approved a bill in March to increase the sharing of cybersecurity threat information, and a week later the House Intelligence Committee passed its version of the bill. In the House Homeland Security Committee, Chairman McCaul is also advancing a bill.
Legislation should also ensure that companies won’t face antitrust action if they cooperate to share cyber threat information. In April 2014, the Department of Justice and Federal Trade Commission issued an Antitrust Policy Statement on Sharing of Cybersecurity Information, making clear their view that antitrust should not be “a roadblock to legitimate cybersecurity information sharing.” This policy should now be put in law.
And finally, any cybersecurity legislation should also include robust privacy protections to ensure that personally identifiable information is never shared with government agencies along with genuine cyber threat information.
With these policies in place, the United States will provide a partnership between the public and private sectors that encourages both information sharing and innovation. We know what needs to be done, now it is time for Congress and the White House to turn these sensible legislative proposals into law.