Experts Say U.S. Should Act on Cybersecurity, Instead of Waiting for Disaster
SAN FRANCISCO -- “The odds are we'll wait for a catastrophic event” for the U.S. government to impose cybersecurity requirements, said Mike McConnell, a former director of national intelligence. “I hope that doesn’t happen,” but it’s the usual pattern for action, he said at the RSA Conference late Wednesday. Legislation could give legal protections for measures to protect networks, in addition to imposing liability for lapses, said McConnell, an executive vice president of Booz Allen Hamilton.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
McConnell conceded that he “didn’t make the dent” he meant to in promoting public-private information-sharing while he was in office. Government officials “didn’t share any information” with business, McConnell said: “It was all one way,” information going to government from business. The more companies know about the vulnerabilities that the government has detected, the more they'll invest in security, he said. Jim Lewis, director of the Center for Strategic and International Studies’ technology and public policy program, pointed to the Defense Industrial Base Defense Sector Assurance Plan as a good counterexample, in which, he said, DOD has scared contractors into action by disclosing cyberthreats.
There’s a limit to what any incentives can accomplish, said Bruce Schneier, BT’s chief technology security officer: None is big enough to persuade a company to prevent damage greater than its own value. What from a security standpoint looks like the benefits of redundancy from a business vantage appears to be inefficiency, McConnell said. Environmental regulation offers a model for public policy in handling risks to society whose solutions don’t fit business plans, Schneier said. A key is to “regulate results, not technology” to promote innovation rather than stifling it, he said.
Lewis cited an unidentified White House aide as once having told him that cyber regulation would run counter to the Internet’s remaining the “Wild West,” a condition the aide considered crucial to innovation. McConnell disagreed, saying that requiring security measures is needed “for continued momentum” online. “I think we can have both the Wild-West-like Internet we know and love and have cybersecurity,” Schneier said.
There are “a lot of sweet spots” between heavy-handed regulation and an absence of security, Schneier said. The whole problem doesn’t need to be attacked at the same time, said consultant and former Homeland Security Secretary Michael Chertoff. Large problems like insider attacks and supply-chain vulnerabilities could be dealt with first, he said, and the most sensitive sectors before others. Creation of “a lot of pilots,” within a framework set by the government, would spark innovation and competition, Chertoff said.
Corporate directors would be moved to action by a requirement that public companies be required to certify system risks, backups and resiliency, Chertoff said. Unexpectedly, the Sarbanes-Oxley Act “was the one thing that worked” in selling companies on the need for cybersecurity, Schneier said. Treaties and other international agreements are needed to ensure that online crime and attacks receive high-level handling within governments, Schneier said. “I worry that too much is happening too low in the command chain” and a “cyberwar arms race” is approaching, he said.