Congress Rushing to Overcompensate for Cybersecurity Inaction, Says ISA President

"They seem to be adopting pretty much a 20th-century approach to government-industry relations,” Clinton said late Wednesday at the Cloud Connect conference. The threat is that federal legislation will put “constraints” on the development of cloud computing, he said. Clinton encouraged audience members to lobby Sen. Dianne Feinstein, D-Calif., “a big player in this” as a member of the Judiciary Committee, which deals with civil liberties, and of the Intelligence Committee.

Jurisdictional overlaps in the House and probable differences between any measures that the chambers pass make enactment of a new law this year questionable, Clinton said. “The thing that’s more important than anything” else in Washington “is turf,” he said. “They have to figure out how to get a bill through the House,” where several committees have an interest in the subject. If it gets through, the “conference committee is going to be the key” to whether a measure gets to the president, Clinton said.

Clinton predicted that legislation would hold business responsible for “critical infrastructure protection.” Rather than spelling out who’s covered, the measure would leave that to the Department of Homeland Security, he said. The government’s role would be oversight and ensuring compliance, Clinton said. Covered companies would have to report to officials twice a year on their performance in relation to technology standards and could receive civil fines for falling short, he said.

Pointing to a draft cybersecurity bill from the staffs of the Senate Homeland Security and Commerce committees, Clinton called the public-private partnership envisioned on the Hill “kind of like the partnership the prison guard has with the prisoner,” with business being required to do the heavy lifting and the government second-guessing its performance. “Liability is the way government believes in to motivate general government behavior,” he said. Clinton said he thinks “profitability” is the way.

"We are attempting to push back somewhat,” Clinton said. His alliance’s position is that the U.S. can’t regulate its way to growth, and a real cybersecurity partnership is needed between business and the government, he said. Responsibilities, costs and incentives aren’t aligned, Clinton said. “Security is not economic. Security is generally a cost.” He said, “What we have to do is solve the economics problems at the same time as we solve the security problems.” Clinton said he seeks government “economic incentives” for security efforts by businesses. These could include benefits regarding procurement, regulatory requirements or legal liability, he said. Clinton also wants “independent assessments of effectiveness” of security measures by a body similar to Underwriters Laboratories.

There’s a big push in Washington for cybersecurity “education for K through 12,” Clinton said. “What we really need is education for House through Senate.” Most lawmakers are “digital immigrants,” he said -- “older people” whose ideas about “security are fairly antiquated.” Clinton quoted an unspecified committee aide who was the architect of a cybersecurity bill as having told him, “Just tell us what is the gold standard of security and we'll make everybody do it.” But “it doesn’t work that way,” Clinton said. “We need an ongoing, dynamic process.” Policymakers “want an easy answer,” Nick Tsilas, Microsoft’s senior director of public policy, agreed on a panel with Clinton, “and there is no easy answer."

Washington has no monopoly on fear or ignorance, Tsilas said. Foreign governments, particularly in Europe, view cloud computing mainly in relation to gains and losses for themselves, he said. And there’s wariness because the industry is regarded as U.S.-dominated, Tsilas said.