Is the Administration Saying One Thing And Doing Another on Cybersecurity?
Subscribe today for Free Enterprise Updates
- Latest business trends and best practices
- News about legislation and regulation impacting business
- Business how-to articles from industry experts
- Commentary and interviews with newsmakers in business and politics
Defense Secretary Leon Panetta’s recent speech about cybersecurity should serve as a wake-up call to anyone who doesn’t think that cyber-terrorism poses as great a threat to our country and our economy as more traditional forms for terrorism.
Sec. Panetta and most experts agree that we need federal legislation to facilitate cybersecurity across different sectors, and that greater sharing of cyber threat information between government and the business community is an essential component of such legislation.
As Secretary Panetta said in his speech (emphasis mine):
Ultimately, no one has a greater interest in cybersecurity than the businesses that depend on a safe, secure and resilient global, digital infrastructure.
Particularly those who operate the critical networks that we must help defend. To defend those networks more effectively, we must share information between the government and the private sector about threats in cyberspace.
We've made real progress in sharing information with the private sector. But very frankly, we need Congress to act to ensure that this sharing is timely and comprehensive.
Companies should be able to share specific threat information with the government, without the prospect of lawsuits hanging over their head. And a key principle must be to protect the fundamental liberties and privacy in cyberspace that we are all duty bound to uphold.
The Chamber supports the House-passed Cyber Intelligence Sharing and Protection Act (CISPA), which would spur information-sharing without the threat of lawsuits as called for by Secretary Panetta. However, the administration threatened to veto that bill despite bipartisan support, with more than 40 Democrats voting for it.
The government has information that needs to be shared with the private sector. Here’s more from Sec. Panetta:
We know that foreign cyber actors are probing America's critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country.
We know of specific instances where intruders have successfully gained access to these control systems.
We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life.
So, if the administration knows of specific threats, why won’t it and Sens. Reid and Lieberman support legislation that would compel the government to share that information with at-risk private sector entities? Is it because sharing such threat information would expose the government’s inability to deal with it?
The bill preferred by the administration, the Cybersecurity Act of 2012, could actually stymie information sharing between business and government. It’s a hub-and-spoke model, and its strict definition of cyber threat information could erect—not bring down—barriers to productive information sharing. Moreover, liability protections related to voluntary information sharing are vague, if not purposefully qualified, and would invite—rather than deter—lawsuits.
In addition, the administration and its supporters on the Hill are seeking greater government oversight of cybersecurity despite the fact that the private sector owns and operates the vast majority of the critical infrastructure at risk of cyber-terrorism.
Cybersecurity legislation must allow our nation to quickly recognize and respond to changing threats. A national cybersecurity program that gives federal officials authority over what actions business owners and managers could take to protect their computers and networks could be highly problematic. While establishing baseline security standards is desirable, putting a slow, bureaucratic government agency in charge of managing such standards is a risky proposition when flexibility and response time are of highest importance.
And have supporters of the Cybersecurity Act not given any consideration to the costs of cybersecurity mandates? We need to make sure that the private sector is spending scarce resources managing risk and implementing robust and effective security measures instead of hiring more compliance officers to deal with red tape.