Connect with us

#broadbandlive

February 2012 Breakfast Club Recap: Cybersecurity Legislation in Congress, Performance Measures and Critical Infrastructure

Published

on

WASHINGTON, February 23, 2012 – Last week, after years of congressional hearings and dozens of legislative drafts, The Senate Homeland Security and Governmental Affairs Committee introduced the Cybersecurity Act of 2012 S.2105.  Senators Lieberman, Collins, Rockefeller and Feinstein introduced the bi-partisan legislation following a year of high profile cyberattacks on the Senate, CIA, FBI, Utility companies and most recently, the FTC.  February’s timely Broadband Breakfast Club  “Cybersecurity Legislation in Congress: Where Does it Stand?” brought together a panel of experts representing industry and multiple branches of government, to discern the future of the proposed legislation and possible hindrances towards its adoption.

Ari Schwartz, Senior Policy Advisor to the Secretary of Commerce, Internet Policy Task Force, United States Department of Commerce, gave the keynote address to kickoff the event.

Event Highlights

Complete Program

Schwartz began by reiterating FBI director Mueller’s statement that cybersecurity in this country is now out pacing the concerns over terrorism.  He started off by explaining the wide variety of threat actors, everyone from teenage hackers in their bedrooms, to organized crime, corporate espionage and the most dangerous, nation state espionage.

Schwartz made it clear that most of the work that has been accomplished in the cybersecurity space has been done through private sector led standards.   He believes that standards based organizations have been responsible for leading us where we are today. “The private sector has done the best job at building a network that is flexible, that has grown, that is open in its nature, and that has been an engine for new ideas and innovation.”

An issue he brought up was the role of the Department of Homeland Security in the proposed comprehensive cybersecurity legislation.  Referring back to the administration’s proposal on where legislation would be most helpful he noted, “What was DHS mandated to do?  Protect critical infrastructure.  The definition is broad and comes from the Patriot Act, but DHS currently has little authority to act in many of the needed sectors.”

Schwartz suggested that in order to give DHS the ability to ensure that the nation’s basic infrastructure is protected,there needs to be a narrowing of the definition of critical infrastructure, and that that could be done through a rulemaking process.  

For core critical infrastructure, Schwartz argued, progress toward cybersecurity will happen through agreed upon standardized performance measures towards which people can build utilizing the whichever technology they deem necessary. He urged a retreat from tech mandates.

Schwartz was then joined on a panel by Larry Clinton, President, Internet Security Alliance, Tommy Ross, Senior Intelligence and Defense Advisory for Senator Harry Reid, and Nick Rossi, Minority Staff Director, Senate Homeland Security and Government Affairs Committee.  Jennifer Martinez, Technology Reporter for Politico stepped in to moderate.

Most of the panel spoke positively about the bi partisan legislative effort, including the feedback from multiple committees, hearings and stakeholders over the past couple of years.

Clinton was the first to address a series of concerns about the legislation.  “We should be enacting creative and effective legislation and we have the opportunity to do that in this congress, the question is, what should “That” be. Industry is in support of info sharing, greater law enforcement, more research and development and educational components.”

Clinton’s biggest concern was the section of the Bill that grants DHS new undetermined authority.  He expressed that many on the industry side do not think the process, as laid out in the bill, would work. Particularly, that it would result in a lag time of 8-10 years before the performance requirements, that would be needed to regulate critical infrastructure, would be ready. “The regulatory process designed to deal with the technology of previous eras does not work with 21st century problems of cyber security.”

The correct model, stated Clinton, would account for market incentives, liability reform, better use of insurance, streamlined regulations, and better use of government procurement, so that there could be a change in the economics of cyber security.  Industry is currently investing enough to fulfill their own cybersecurity responsibility but cannot be asked to invest for national defense purposes as well, as it is not in their shareholders’ interest.

Clinton suggested alternative models such as industry collaboration with the DOJ, DOD and Commerce to create more market incentives for industries to update their systems. That, he said, “would be a dynamic motivator that moves much quicker and, we think, can have more security, faster, and that fits with economics and technology.”  Clinton added, “this Bill only deals with technology and not the economics, it describes how attacks occur but not why they occur.”

Rossi defended the bill by stating that the bill is not a traditional regulatory bill, that they have avoided technology mandates because they are aware that this is an area where technology outpaces regulation. So what they have proposed, is the development of performance requirements that are essentially best practices for the most crucial segments of our critical infrastructure and not something they expect to effect a wide swath of the private sector.  Rossi added that there are protections in the Bill that would “make sure that if there are existing regulations that satisfy the security needs of a sector that they can receive a waiver, and if there is a specific company that has already adopted sufficient security then it to can get a waiver.”

In addition, the Bill incorporates a Title included by Senator Feinstein that calls for improved information sharing “that would benefit not only critical infrastructure, but more broadly, those that are willing to participate in information exchanges with the government.”

Ross continued from Rossi’s statement, by addressing the idea of market incentives.  Ross believes there is challenge in relying solely on the market, as while in some situations there are sufficient incentives towards adoption of stronger security measures, in other cases market forces are inefficient. One issue being a lack of competition in certain markets, as in the energy utility field, where there are limited incentives to build cybersecurity into the network.  A second issue is that there are a wide range of threats and that the low probability, high risk attacks are the ones that could be the most devastating. Yet, the private sector is not ready to invest much in low probability scenarios. “In order to make sure that we are not vulnerable in those attacks, the government needs to be able to intervene in a very targeted manner for those specific attacks.”

Schwartz chimed in to add some thoughts about insurance and the low probability/ high consequence attacks.  “There is no market out there,” said Schwartz, and “mandating a market will not create a market. However, putting together performance requirements can help to build an insurance marketplace.”

In response to Ross’ comment about utilities, Clinton pointed out that the economics of the industry are already built into the regulatory structure and that government already has the mechanism to move in and work with those entities that have existing structures.

In the new world, Clinton continued, where the private sector is on the front lines of national defense, there are going to have to be new incentives.

With regards to insurance, Clinton agreed that insurance is one of the best motivators of pro social behavior and can certainly be used to drive more cybersecurity.  Clinton added that there are some antitrust statutes that need to be changed to get insurance companies to share more information.  “If information was shared, there would be a more realistic assessment of risk that would lower prices.  When you lower prices, more companies get into the market….when you push down prices, more people buy insurance and you get a virtuous cycle.”

One thing Ross mentioned is that they were working out, through DHS’ sector specific performance standards approach, the resolution of artificial market gaps. With regard to energy again, FERC and NRC have two different standards for meeting cybersecurity concerns for which DHS can serve a coordinating function to ensure that standards across sectors where there are regulatory entities, are working at a consistent level with no artificial unevenness.

To clarify performance standards Ross added, their focus is on “performance standards that focus on fixes in network design and are not affected by the exact origin of the individual threats.” He used air Gap.  Scada systems as an example.

Rossi added, “we are looking at existing regulatory regimes, deferring to primary regulators and taking advantage of requirements and regulations that are already in place, we are not trying to create additional layers.”  Rossi reiterated that they are not focusing on the actual technology but rather performance requirements that particular critical infrastructures or assets would need to work towards.  Further, that the liability protections built into the Bill are protections for punitive damages, but they are interested in finding additional ways to build more incentives into the bill.

When asked about the perceived urgency surrounding a potential massive attack on critical infrastructure within the next two years, Ross rejected the notion that it would take 8-10 years to put standards in place.  “The approach embodied in the bill is characterized by a nuanced, sophisticated understanding of the regulatory landscape and the threat landscape.  It is not a questions of whether we should or should not regulate, every sector is different with different needs, activity and regulatory environment.”  He added that “the Bill calls for DHS to do a risk assessment and prioritize the most critical infrastructure.”  In this Bill, DHS will not be charged with implementation, inspections or mandating specific infrastructure. The established performance requirements will be set and then left to the private sector, either through self certification or third party assessment, to determine whether they are in compliance

 

As Deputy Editor, Chris Naoum is curating expert opinions, and writing and editing articles on Broadband Breakfast issue areas. Chris served as Policy Counsel for Future of Music Coalition, Legal Research Fellow for the Benton Foundation and law clerk for a media company, and previously worked as a legal clerk in the office of Federal Communications Commissioner Jonathan Adelstein. He received his B.A. from Emory University and his J.D. and M.A. in Television Radio and Film Policy from Syracuse University.

#broadbandlive

Broadband Breakfast on June 1, 2022 — Broadband Mapping and Data

Broadband Breakfast returns to one of the subjects that it knows best: Broadband mapping and data.

Published

on

Our Broadband Breakfast Live Online events take place on Wednesday at 12 Noon ET. Watch the event on Broadband Breakfast, or REGISTER HERE to join the conversation.

Wednesday, June 1, 2022, 12 Noon ET –Broadband Mapping and Data

Now that the National Telecommunications and Information Administration’s Notice of Funding Opportunity has been released, attention turns to a core activity that must take place before broadband infrastructure funds are distributed: The Federal Communications Commission’s updated broadband maps. Under the Infrastructure Investment and Jobs Act, as implemented by the NTIA’s Broadband Equity, Access and Deployment program, these address-level maps from the FCC will determine the allocation of funds among states and serve as a key source of truth. Our panelists will also consider the role of state-level maps, the NTIA challenge process and other topics. Join Broadband Breakfast as we return to one of the subjects that we know best: Broadband data and mapping.

Panelists:

  • Guests have been invited.
  • Drew Clark (moderator), Editor and Publisher, Broadband Breakfast

Panelist resources:

Drew Clark is the Editor and Publisher of BroadbandBreakfast.com and a nationally-respected telecommunications attorney. Drew brings experts and practitioners together to advance the benefits provided by broadband. Under the American Recovery and Reinvestment Act of 2009, he served as head of a State Broadband Initiative, the Partnership for a Connected Illinois. He is also the President of the Rural Telecommunications Congress.

WATCH HERE, or on YouTubeTwitter and Facebook.

As with all Broadband Breakfast Live Online events, the FREE webcasts will take place at 12 Noon ET on Wednesday.

SUBSCRIBE to the Broadband Breakfast YouTube channel. That way, you will be notified when events go live. Watch on YouTubeTwitter and Facebook

See a complete list of upcoming and past Broadband Breakfast Live Online events.

Continue Reading

#broadbandlive

Broadband Breakfast on June 15, 2022 – Broadband Breakfast Live Online from Fiber Connect in Nashville

Join conference attendees in conversation on key connectivity issues.

Published

on

Photo of Gaylord Opryland, home of Mountain Connect by Ken Lund used with permission

Our Broadband Breakfast Live Online events take place on Wednesday at 12 Noon ET. Watch the event on Broadband Breakfast, or REGISTER HERE to join the conversation.

Wednesday, June 15, 2022, 12 Noon ET – Broadband Breakfast Live Online from Fiber Connect in Nashville

Join a conversation with attendees at the annual Fiber Connect conference in Nashville, Tennessee.

Panelists:

  • Guests have been invited.
  • Drew Clark (presenter and host), Editor and Publisher, Broadband Breakfast

Drew Clark is the Editor and Publisher of BroadbandBreakfast.com and a nationally-respected telecommunications attorney. Drew brings experts and practitioners together to advance the benefits provided by broadband. Under the American Recovery and Reinvestment Act of 2009, he served as head of a State Broadband Initiative, the Partnership for a Connected Illinois. He is also the President of the Rural Telecommunications Congress.

WATCH HERE, or on YouTubeTwitter and Facebook.

As with all Broadband Breakfast Live Online events, the FREE webcasts will take place at 12 Noon ET on Wednesday.

SUBSCRIBE to the Broadband Breakfast YouTube channel. That way, you will be notified when events go live. Watch on YouTubeTwitter and Facebook

See a complete list of upcoming and past Broadband Breakfast Live Online events.

Continue Reading

#broadbandlive

Broadband Breakfast on May 25, 2022 – Broadband Breakfast Live Online from Mountain Connect in Colorado

Join conference attendees in conversation on key connectivity issues.

Published

on

Our Broadband Breakfast Live Online events take place on Wednesday at 12 Noon ET. Watch the event on Broadband Breakfast, or REGISTER HERE to join the conversation.

Wednesday, May 18, 2022, 12 Noon ET – Broadband Breakfast Live Online from Mountain Connect in Colorado

Join our weekly Broadband Breakfast Live Online, live from Keystone, Colorado, where Broadband Breakfast Editor and Publisher Drew Clark engages in an informal conversation with several informed observers participating in the annual Mountain Connect conference.

Panelists:

  • Sean Gonsalves, Senior Reporter, Editor and Researcher, ILSR’s Community Broadband Network Initiative
  • Jeff Gavlinski, CEO of Mountain Connect
  • Other guests attending Mountain Connect may also participate.
  • Drew Clark (moderator), Editor and Publisher, Broadband Breakfast

Drew Clark is the Editor and Publisher of BroadbandBreakfast.com and a nationally-respected telecommunications attorney. Drew brings experts and practitioners together to advance the benefits provided by broadband. Under the American Recovery and Reinvestment Act of 2009, he served as head of a State Broadband Initiative, the Partnership for a Connected Illinois. He is also the President of the Rural Telecommunications Congress.

Sean Gonsalves is a longtime former reporter, columnist, and news editor with the Cape Cod Times. He is also a former nationally syndicated columnist in 22 newspapers, including the Oakland Tribune, Kansas City Star and Seattle Post-Intelligencer. His work has also appeared in the Boston Globe, USA Today, the Washington Post and the International Herald-Tribune. Sean joined the Institute for Local Self Reliance staff in October 2020 as a senior reporter, editor and researcher for ILSR’s Community Broadband Network Initiative.

Jeffrey Gavlinski is the owner and CEO of Mountain Connect LLC, a company facilitating a broadband development conference that services the U.S. and is hosted in Colorado since 2011. He is also currently Global Vice President of Telecom & Wireless Associations at Plume Design.  He is responsible for the strategic alignment of Plume’s industry Association partnerships globally.

WATCH HERE, or on YouTubeTwitter and Facebook.

As with all Broadband Breakfast Live Online events, the FREE webcasts will take place at 12 Noon ET on Wednesday.

SUBSCRIBE to the Broadband Breakfast YouTube channel. That way, you will be notified when events go live. Watch on YouTubeTwitter and Facebook

See a complete list of upcoming and past Broadband Breakfast Live Online events.

Continue Reading

Recent

Signup for Broadband Breakfast

Get twice-weekly Breakfast Media news alerts.
* = required field

Trending