Chamber of Commerce Skeptical of ‘Regulatory’ Cybersecurity Executive Order
Former Department of Homeland Security Secretary Tom Ridge said he’s “skeptical” the U.S. Chamber of Commerce would support the administration’s proposed cybersecurity executive order. “My sense tells me that it will probably go back to the traditional regulatory mode,” said Ridge Thursday at a cybersecurity event hosted by the U.S. Chamber. Ridge, who is now chairman of the Chamber’s national security task force, said he plans to lobby Congress for legislative fixes if President Barack Obama introduces an order.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Ridge said it’s important for private sector companies to reset the cybersecurity debate to break the current stalemate on Capitol Hill. “The best way to build a strategy on cyberdefense is to share information between trusted partners,” said Ridge. “So hopefully in the course of the conversation we can reset the debate. If there is to be an executive order, we are going to have to look at it carefully in case we have to go to the Hill to try to get Congress to either amend, modify or change the impact of the order.” Ridge said congressional legislation can accomplish things that a cybersecurity executive order cannot, like provide liability protections, increase cyberthreat information sharing, increase criminal penalties for cyberattacks and increase incentives to employ new cybersecurity experts.
Ridge was optimistic that Congress would eventually pass cybersecurity legislation and again touted the House-passed Cyber Intelligence Sharing and Protection Act (CISPA) (HR-3523) and the SECURE IT Act (S-2151) as viable options. Though the Chamber supported “70 or 80 percent” of the Cybersecurity Act (S-3414) there were portions of the bill upon which stakeholders could not build a consensus, he said. In August negotiations over S-3414 collapsed due to the Chamber’s staunch criticism of the bill’s voluntary cybersecurity standards, which the group said could be used to impose costly new obligations on U.S. businesses (CD July 27 p8). Ridge said the Chamber fundamentally believes that two-way cyberthreat information sharing is essential to securing networks from attack. “Information sharing is the way forward. Regulation is the moat around the castle that is going to keep us from advancing,” he said.
CISPA could still pass before the end of the year, said the bill’s sponsor, House Intelligence Committee Chairman Mike Rogers, R-Mich., asking attendees to “engage in the Senate.” There have been newly discovered cyberthreats, he said, which have sparked a new interest in the bill and could get it passed when Congress returns in November. While he refused to get specific about the threats, he said, “new capabilities [are] coming online everyday,” and added, “the Chinese are great at stealing information.” Information about new cyberthreats, he said, should result in “at least a revitalized discussion between the House and the Senate [about] possibilities for the way forward."
The potential executive order is “irresponsible,” Rogers said, because the White House did not consult with the House Intelligence Committee or the private sector. “Why you wouldn’t want input from the outside on this stuff is beyond me,” he said. Rogers said he hopes the National Intelligence Council will complete a National Intelligence Estimate (NIE) on cyberthreats. Many people don’t really understand the threats, he said, and an NIE “would be a great way to lay out something on the table to show what the threat matrix is."
DHS should not be leading cybersecurity efforts, Rogers said. It failed to maintain progress with the Defense Industrial Base Sector Pilot, which had been credited for gains in network defense strategies, he said. There were 20 companies in the pilot program, which was run by the Defense Department, he said. Since DHS took over in the last year and expanded it from the pilot, there are fewer than 20 companies, he said: “That is not keeping pace with the seriousness of the threat."
Government agencies will have to work together and with private industry to combat cybersecurity threats, said Gen. Keith Alexander, director of the National Security Agency and head of U.S. Cyber Command. “We all have a problem, and we ought to all be a part of the solution,” he said of government agencies, members of private industry and members of academia. “Somebody has got to tell us when problems exist,” he said, asking members of the industry to alert the government of new and emerging threats, while government agencies work together to combat those threats.
This kind of cooperation will “require DHS and FBI and others to be on that government team,” Alexander said. DHS involvement would help alleviate privacy and civil liberties concerns while addressing cybersecurity concerns, he said. “We can and must do both,” he said. “We're trying to do this transparently,” he said, and DHS involvement will help the government “get past that civil liberties question” so it can focus on cybersecurity.
Former House Intelligence Committee Chairman Dave McCurdy, D-Okla., said on a separate panel the authors of S-3414, Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, don’t understand the level of corporate involvement in defending from cyberattacks. “We agree on the goal of protecting cybersecurity, we need to protect and defend” the nation’s networks from attack, said McCurdy, who is now CEO of the American Gas Association. More broadly, McCurdy said he thought the senators have “missed the mark a little bit” and warned lawmakers not to oversimplify the cybersecurity issue. “It was really about information sharing and we believe that was absolutely critical” in bills like CISPA and SECURE IT, he said.
Lawmakers and federal agencies should be cognizant that some regulations can actually make businesses more vulnerable to attacks, said Marcus Sachs, Verizon vice president-national security policy. Recent SEC rules that urge companies to disclose their cybersecurity posture and details on past attacks “might make it worse by painting a target on someone,” he said. “We have to change the conversation. The incentive model is a good model but it can’t be tied to dollars.”
Michael Hayden, former director of the CIA and National Security Agency, said better cybersecurity depends on a cultural change in America that values more education on cybersecurity issues. “You need a ‘Smokey Bear’ campaign that starts in school,” he said: “It will take a long time to get that kind of education.”
The U.S. needs to consider how its cyberefforts affect international cybersecurity norms and perceptions, Hayden said. Hayden said he is in “awe” of the breadth, depth, sophistication and persistence of the alleged Chinese cyberespionage effort against the U.S. But he admitted that the U.S. also steals data from foreign states, which makes it more difficult to draw a line as to what is acceptable behavior in the cyber domain. “We steal stuff too and we're really good at it. But we limit our theft to protect your safety and your liberty. We don’t steal intellectual property like the Chinese do,” he said. Hayden said the use of advanced cyberweapons against hostile nation states like Iran will encourage them to retaliate. “The popular story is that we did it … whether that is true or not, everyone thinks that since America did it it must be OK. If I'm Iranian I think I've been provoked and I think ‘game on.'” Nevertheless, Hayden said he thought that using cybertools to “crash” the centrifuges in an Iranian nuclear facility was a positive thing.