WASHINGTON, February 23, 2012 – Last week, after years of congressional hearings and dozens of legislative drafts, The Senate Homeland Security and Governmental Affairs Committee introduced the Cybersecurity Act of 2012 S.2105. Senators Lieberman, Collins, Rockefeller and Feinstein introduced the bi-partisan legislation following a year of high profile cyberattacks on the Senate, CIA, FBI, Utility companies and most recently, the FTC. February’s timely Broadband Breakfast Club “Cybersecurity Legislation in Congress: Where Does it Stand?” brought together a panel of experts representing industry and multiple branches of government, to discern the future of the proposed legislation and possible hindrances towards its adoption.
Ari Schwartz, Senior Policy Advisor to the Secretary of Commerce, Internet Policy Task Force, United States Department of Commerce, gave the keynote address to kickoff the event.
Schwartz began by reiterating FBI director Mueller’s statement that cybersecurity in this country is now out pacing the concerns over terrorism. He started off by explaining the wide variety of threat actors, everyone from teenage hackers in their bedrooms, to organized crime, corporate espionage and the most dangerous, nation state espionage.
Schwartz made it clear that most of the work that has been accomplished in the cybersecurity space has been done through private sector led standards. He believes that standards based organizations have been responsible for leading us where we are today. “The private sector has done the best job at building a network that is flexible, that has grown, that is open in its nature, and that has been an engine for new ideas and innovation.”
An issue he brought up was the role of the Department of Homeland Security in the proposed comprehensive cybersecurity legislation. Referring back to the administration’s proposal on where legislation would be most helpful he noted, “What was DHS mandated to do? Protect critical infrastructure. The definition is broad and comes from the Patriot Act, but DHS currently has little authority to act in many of the needed sectors.”
Schwartz suggested that in order to give DHS the ability to ensure that the nation’s basic infrastructure is protected,there needs to be a narrowing of the definition of critical infrastructure, and that that could be done through a rulemaking process.
For core critical infrastructure, Schwartz argued, progress toward cybersecurity will happen through agreed upon standardized performance measures towards which people can build utilizing the whichever technology they deem necessary. He urged a retreat from tech mandates.
Schwartz was then joined on a panel by Larry Clinton, President, Internet Security Alliance, Tommy Ross, Senior Intelligence and Defense Advisory for Senator Harry Reid, and Nick Rossi, Minority Staff Director, Senate Homeland Security and Government Affairs Committee. Jennifer Martinez, Technology Reporter for Politico stepped in to moderate.
Most of the panel spoke positively about the bi partisan legislative effort, including the feedback from multiple committees, hearings and stakeholders over the past couple of years.
Clinton was the first to address a series of concerns about the legislation. “We should be enacting creative and effective legislation and we have the opportunity to do that in this congress, the question is, what should “That” be. Industry is in support of info sharing, greater law enforcement, more research and development and educational components.”
Clinton’s biggest concern was the section of the Bill that grants DHS new undetermined authority. He expressed that many on the industry side do not think the process, as laid out in the bill, would work. Particularly, that it would result in a lag time of 8-10 years before the performance requirements, that would be needed to regulate critical infrastructure, would be ready. “The regulatory process designed to deal with the technology of previous eras does not work with 21st century problems of cyber security.”
The correct model, stated Clinton, would account for market incentives, liability reform, better use of insurance, streamlined regulations, and better use of government procurement, so that there could be a change in the economics of cyber security. Industry is currently investing enough to fulfill their own cybersecurity responsibility but cannot be asked to invest for national defense purposes as well, as it is not in their shareholders’ interest.
Clinton suggested alternative models such as industry collaboration with the DOJ, DOD and Commerce to create more market incentives for industries to update their systems. That, he said, “would be a dynamic motivator that moves much quicker and, we think, can have more security, faster, and that fits with economics and technology.” Clinton added, “this Bill only deals with technology and not the economics, it describes how attacks occur but not why they occur.”
Rossi defended the bill by stating that the bill is not a traditional regulatory bill, that they have avoided technology mandates because they are aware that this is an area where technology outpaces regulation. So what they have proposed, is the development of performance requirements that are essentially best practices for the most crucial segments of our critical infrastructure and not something they expect to effect a wide swath of the private sector. Rossi added that there are protections in the Bill that would “make sure that if there are existing regulations that satisfy the security needs of a sector that they can receive a waiver, and if there is a specific company that has already adopted sufficient security then it to can get a waiver.”
In addition, the Bill incorporates a Title included by Senator Feinstein that calls for improved information sharing “that would benefit not only critical infrastructure, but more broadly, those that are willing to participate in information exchanges with the government.”
Ross continued from Rossi’s statement, by addressing the idea of market incentives. Ross believes there is challenge in relying solely on the market, as while in some situations there are sufficient incentives towards adoption of stronger security measures, in other cases market forces are inefficient. One issue being a lack of competition in certain markets, as in the energy utility field, where there are limited incentives to build cybersecurity into the network. A second issue is that there are a wide range of threats and that the low probability, high risk attacks are the ones that could be the most devastating. Yet, the private sector is not ready to invest much in low probability scenarios. “In order to make sure that we are not vulnerable in those attacks, the government needs to be able to intervene in a very targeted manner for those specific attacks.”
Schwartz chimed in to add some thoughts about insurance and the low probability/ high consequence attacks. “There is no market out there,” said Schwartz, and “mandating a market will not create a market. However, putting together performance requirements can help to build an insurance marketplace.”
In response to Ross’ comment about utilities, Clinton pointed out that the economics of the industry are already built into the regulatory structure and that government already has the mechanism to move in and work with those entities that have existing structures.
In the new world, Clinton continued, where the private sector is on the front lines of national defense, there are going to have to be new incentives.
With regards to insurance, Clinton agreed that insurance is one of the best motivators of pro social behavior and can certainly be used to drive more cybersecurity. Clinton added that there are some antitrust statutes that need to be changed to get insurance companies to share more information. “If information was shared, there would be a more realistic assessment of risk that would lower prices. When you lower prices, more companies get into the market….when you push down prices, more people buy insurance and you get a virtuous cycle.”
One thing Ross mentioned is that they were working out, through DHS’ sector specific performance standards approach, the resolution of artificial market gaps. With regard to energy again, FERC and NRC have two different standards for meeting cybersecurity concerns for which DHS can serve a coordinating function to ensure that standards across sectors where there are regulatory entities, are working at a consistent level with no artificial unevenness.
To clarify performance standards Ross added, their focus is on “performance standards that focus on fixes in network design and are not affected by the exact origin of the individual threats.” He used air Gap. Scada systems as an example.
Rossi added, “we are looking at existing regulatory regimes, deferring to primary regulators and taking advantage of requirements and regulations that are already in place, we are not trying to create additional layers.” Rossi reiterated that they are not focusing on the actual technology but rather performance requirements that particular critical infrastructures or assets would need to work towards. Further, that the liability protections built into the Bill are protections for punitive damages, but they are interested in finding additional ways to build more incentives into the bill.
When asked about the perceived urgency surrounding a potential massive attack on critical infrastructure within the next two years, Ross rejected the notion that it would take 8-10 years to put standards in place. “The approach embodied in the bill is characterized by a nuanced, sophisticated understanding of the regulatory landscape and the threat landscape. It is not a questions of whether we should or should not regulate, every sector is different with different needs, activity and regulatory environment.” He added that “the Bill calls for DHS to do a risk assessment and prioritize the most critical infrastructure.” In this Bill, DHS will not be charged with implementation, inspections or mandating specific infrastructure. The established performance requirements will be set and then left to the private sector, either through self certification or third party assessment, to determine whether they are in compliance