WASHINGTON — Cybersecurity experts on Wednesday warned members of a House subcommittee against racing to legislation that would establish an overly burdensome regulatory framework for safeguarding digital systems against attacks, instead urging a more limited approach that would clear away legal impediments such as the prohibitions against sharing critical threat information.
Most, though not all, of the witnesses testified in favor of a strictly limited federal approach to cybersecurity, one that would be light on regulation while focusing on incentives and coordination across the private sector and with government agencies.
Several panelists and some lawmakers expressed the concern that prescriptive regulation in such a rapidly evolving sector as cybersecurity would threaten to hobble the development of new defense mechanisms as companies grapple with an additional set of compliance requirements.
“Traditional approaches, including federal regulation, will not solve the problem because they’re going to be largely reactive and will not stay ahead of the changing threat nature,” Larry Clinton, president and CEO of the Internet Security Alliance, told members of the House Energy and Commerce Committee’s communications and technology subcommittee.
“Worse, to add regulation would be counterproductive, leading companies to expend their limited resources on building in-house efforts to meet regulatory demands rather than focusing on security,” Clinton added.
Debate Looms as Senate Wraps Up Bill
The House hearing comes as the latest step in the run-up to what could become a major debate in Washington, as members of the Senate put the finishing touches on what is expected to be a comprehensive overhaul of the policy framework for the nation’s cyber defenses. That bill would likely vest the Department of Homeland Security with limited regulatory oversight of critical infrastructure operators, among other provisions. Majority Leader Harry Reid has signaled his intention to put the legislation on the fast track for a floor debate in the Senate.
The lone advocate of a comprehensive approach at Wednesday’s hearing was James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.
“The central problem for the U.S. will be redefining the role of government,” Lewis said in his written testimony. “There are clearly areas where the government should not interfere. At the same time, cybersecurity is a national security problem that requires more government involvement, not less.”
The House Takes a Different Approach
In contrast with the Senate, the House is taking a more piecemeal approach, with various small-scale bills working their way through the committees of jurisdiction. One piece of legislation that emerged from the Intelligence Committee drew praise from some of the witnesses for its narrow focus on clearing away the legal obstacles to sharing information about threats.
The Cyber Intelligence Sharing and Protection Act would remove antitrust restrictions to allow private companies to coordinate their defense strategies. Additionally, the bill would authorize government intelligence authorities to share information about critical threats with certain industry stakeholders who had obtained appropriate security clearances, a provision that would seek to rectify the imbalance in the flow of information between the public and private sectors that many business leaders have identified.
“I’m tired of it being a one-way street to intelligence with nothing in return,” said Bill Conner, president and CEO of security software vendor Entrust.
The intelligence sharing bill would also include provisions to create incentives for private firms to improve their cybersecurity posture without imposing new regulations. Companies that could demonstrate their good-faith participation in information-sharing programs and the implementation of certain security measures would enjoy a shield from legal liability in the event of a successful attack.
Those types of steps could go a long way toward bringing cybersecurity into alignment with a private business’s commercial interests, a disconnect that continues to result in many firms taking a lax approach toward security, according to Robert Dix, vice president of government affairs and critical infrastructure protection with networking-equipment provider Juniper Networks.
“If we focus only on technology and technology development, we are likely to miss the opportunity to examine the challenges and impediments to technology and solution adoption,” said Dix, an opponent of any broad legislative mandate that would implement new regulations. “The market is delivering innovation at an unprecedented pace in history. However, the evidence would suggest that adoption of available solutions has not kept pace.”
For Lewis of CSIS, incentives are an integral part of the solution that could take the form of tax breaks or subsidies for private-sector firms to bolster their defenses, but regulation, in certain cases, will be a necessary policy lever.
“There’s straightforward evidence that what we’re doing now isn’t working,” he told the panel.
Lewis was quick to note that the heightened regulation he envisions would not a one-size-fits-all prescription, and that industries such as telecommunications providers, which he credited with having done a good job of protecting themselves. Other sectors, meanwhile, are in “bad shape,” he said, a threat that looms large over all the interrelated sectors of the economy. “An unregulated internet is not a substitute for a friendly business environment,” he said.
“This is a place where we don’t want the government creating the technology,” Lewis added, “but you [might] want it coordinating a response.”
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.