Industry Reacts To Proposed Regulations
By Austin Wright
As Congress moves forward with a long-awaited cybersecurity bill, industry leaders are voicing mixed views about the proposed measure.
On the one hand, the new regulations could be a burden. On the other, the alternative – lax cybersecurity standards – could be worse.
The Cybersecurity Act of 2010, sponsored by Sens. John D. Rockefeller, D-W.V., and Olympia J. Snowe, R-Maine, has been revised several times in Senate committees and is nearing a full vote on the chamber floor. The bill includes a number of incentives that are intended to motivate business leaders and government officials to share information that would help both parties better protect their data.
The bill also requires cybersecurity to be a consideration in every federal acquisition of technology products and services.
In February, the House passed a similar version of the bill. The latest draft of the Senate legislation eliminates a controversial provision – dubbed the “kill switch” – that would have allowed the president to shut down private networks in the event of a massive cyberattack.
“That’s what the attacker wants – to disable our online infrastructure,” said Larry Clinton, president and CEO of the Internet Security Alliance, a trade association that advocates for businesses.
Clinton wrote a letter praising many aspects of the proposal, including the elimination of the kill switch and the nixing of language that would have mandated security standards for all companies.
Clinton still objects to other parts of the bill.
The legislation would allow federal regulators to audit certain companies every six months. Clinton said this is excessive, and he warned that tighter regulations on businesses could cause them to relocate outside the country, where the rules wouldn’t apply. “The last thing we want is to push the cybersecurity industry outside the United States,” he said.
“Companies fear the auditor more than the attacker,” he wrote in his letter. He said he believes the federal government should offer tax breaks and rewards to motivate companies to improve their own security – rather than punishing them if they don’t. The current draft of the bill would set up cybersecurity competitions and awards.
Government officials have argued that if defense contractors and other companies don’t adequately protect their networks, they risk putting vital data about U.S. weapons in the hands of foreign spies. As of 2007, hackers had stolen at least 10 terabytes worth of sensitive information from Defense Department networks, according to an Air Force estimate.
Many business leaders contacted by National Defense believe the federal government has taken too long to set cybersecurity policies, while others thought the government must take its time to make sure the regulations work as intended.
Poorly written legislation could cripple U.S. businesses by overwhelming them with security costs that companies in other countries don’t have to pay. But the absence of legislation leaves everybody vulnerable, Clinton said.
He believes the federal government should have started working on legislation a decade ago, when his organization was founded. He hopes, however, that lawmakers don’t rush to make up for their late start.
Other industry leaders wish the Senate moved faster to pass legislation.
“The government has taken too long to get its rules and standards out,” said retired Air Force Lt. Gen. Bill Donahue, an executive vice president at the information technology firm TechTeam Government Solutions.
He said some companies have postponed their own cybersecurity initiatives to wait for the government to take the lead. They are hesitant to make investments before they’re able to make sure they comply with potential regulations, Donahue said.
“We have failed as a nation to realize that cyber is as critical to national security as air, land, sea and space,” he said. “Time is not our friend on this.”
A Government Accountability Office report released in March said the federal government has yet to clarify the roles of different agencies and departments. It said the government has taken too long to define its strategy, set standards and reach out to other countries.
The report also criticized officials for failing to clarify how agencies will share data on cyberattacks with corporations. The Senate bill would require the president to provide security clearances to key private sector officials so they could access that information.
Patrick Gorman, a cybersecurity expert at Booz Allen Hamilton, said he doesn’t think the federal government has dragged its feet on the issue. Historically, he said, it has taken the government several decades to figure out how to write regulations for emerging technologies and threats.
“If the government enters too early, it stifles innovation, and if it enters too late, it’s reacting to a problem,” Gorman said. “The timing of this is completely natural.”
Only in recent years has it become apparent that the government would need a coordinated effort to compel businesses to add more layers of cybersecurity than they would add otherwise, he said.
Like Clinton, Gorman prefers market-based incentives to mandated standards. “Do you get much out of auditing and compliance exercises?” he said. “I don’t have an answer for that.”
He also said the government runs the risk of having several agencies collecting data on cyberthreats but not sharing that data effectively – the same way information on terrorists wasn’t properly shared prior to the terrorist attacks of 9/11.
The greatest threat to U.S. cybersecurity, he believes, is the shortage of expertise in the field. “We’re just not producing enough people,” he said.
The American Recovery and Reinvestment Act of 2009, along with the proposed cybersecurity legislation, includes money intended to boost programs that train Internet security professionals.
Also, many defense contractors have partnered with colleges and high schools in an effort to spark students’ interest in cybersecurity.
National Defense submitted a Freedom of Information Act request to the Department of Homeland Security seeking data related to its goal of hiring 1,000 additional cybersecurity employees over the next three years, but the department has yet to provide the information.
“Businesses have to cooperate with their competitors on initiatives that will grow the labor pool,” Gorman said. “We need a robust recruiting effort.”
The Senate bill sets up scholarships through the National Science Foundation that would pay for students’ college education. In return, those students would take cybersecurity jobs at federal agencies upon graduation.
Several industry leaders suggested that, as part of its cybersecurity regulations, the federal government should create an insurance market that would compensate customers for stolen data or damaged systems.
Zalmai Azmi, a senior vice president at CACI International Inc., said he supports the idea but thinks it would be tough to implement. “How do you put a value on data?” he asked. “This is a discussion that needs to happen between the government and contractors.”
Clinton said a robust insurance industry would encourage the private sector to improve.
“Insurance motivates people to comply with industry’s best practices,” he said, noting that policyholders likely would pay lower rates if they demonstrated that they have strong security measures in place.
“This would also create a private monitoring system of who’s doing what,” he said. The reason the United States lacks a large cybersecurity insurance industry, he believes, is because the risk is too high to keep premiums reasonable. He suggested that the federal government create a backstop fund that would be a safety net for insurers until they could replace that fund with private dollars.
“This would mean that if your client is attacked on day one, you don’t go out of business,” Clinton said.
Tom Conway, director of federal business development for McAfee, said he believes the Senate bill’s requirement that all acquisition efforts include a cybersecurity component will have a positive effect. McAfee is currently installing a security package on each of the Defense Department’s 5 million to 7 million computers.
“It’s more than just developing a great widget,” Conway said. “Now you’ll have to be able to protect that widget.”