Experts from outside government criticized the White House’s legislative proposal for cybersecurity Friday, saying the bill the administration has proposed could make the nation’s critical infrastructure less secure.
The House Homeland Security Subcommittee on Cybersecurity invited testimony from witnesses outside government. The subcommittee is one of several Congressional panels tasked with developing information security policy during the current legislative session.
Melissa Hathaway, who served as President Barack Obama’s acting cybersecurity chief during most of 2009, told the panel Congress should closely examine the effects of the administration’s proposal on industry and invite private sector input. She said this is something the White House process, which produced the legislative proposal submitted to Congress earlier this year, appears not to have done.
“The administration’s proposal had the opportunity to engage the private sector to inform the debate and the items within the proposal. But during the course of their review, they did not engage the private sector,” she told the subcommittee. “That’s why it’s so important that this committee and other committees understand the second and third order effects of regulation and other market levers.”
She says she was specifically worried about a confused definition of the role of the Department of Homeland Security in cyberspace and said Congress should discuss whether it should serve as a policy function, an operational function, or a regulatory function.
“The proposal attempts to establish a minimum standard of care and an audit and certification function similar to the Securities and Exchange Commission requirement for attestation of material risk. In my view, inserting DHS into a regulatory role in this context could dilute its operational and policy responsibilities and likely distract from the nation’s security posture,” she said.
Hathaway also said she worried about DHS being assigned broader roles and missions at a time when the department is still finding its sea legs in the cybersecurity arena.
Larry Clinton, president of the Internet Security Alliance, was far more blunt in his criticism of the administration proposal, calling it “anti-security.”
In particular, his group, which primarily represents the operators of privately owned critical infrastructure, worries about provisions in the bill which mandate that companies disclose data breaches in a timely manner. The administration believes that increasing the transparency of breaches will provide incentives for industry to increase their cybersecurity in order to prevent embarrassing incidents. But Clinton said the proposal begs the question of what precisely a breach is and when a breach is actually a problem.
“There’s currently an opinion—in the press anyway—that when you’ve been breached, that’s a significant incident,” he said. “In the modern world with modern attacks, virtually everybody gets breached. If you’re going to have these advanced persistent threat guys come after you, they’re going to get into your system. If you’re going to make that the line, and then you’re subject to some of these name-and-shame penalties, I think that would be a mistake.”
Clinton said any legislation that would require companies to disclose all breaches is based on outdated thinking. The old model, he said, is based on the idea that companies and agencies can defend their network perimeters and keep attackers out.
Instead, he said, the focus should be on making sure networks can be defended from the inside and that any damage intruders do once they’ve penetrated a network can be mitigated.
“They go in your system and they hide. It’s very difficult to find these guys,” he said. “We should be providing incentives for companies to go and look for them. If a corporation knows that the harder they look, the more likely it is they’ll be named and shamed for finding them, we’ve created exactly the wrong incentives. It would be much better if companies were proactively incented so that they wanted to go find these guys, because they would lower their liability, lower their insurance rates and have a better chance at federal contracts.”
He said companies such as major defense contractors who have advanced intrusion detection systems would, in effect, be penalized, because they are more able to spot the slightest compromise to their networks. He said the message to the rest of industry under the administration’s proposal would be to do everything they can to avoid spotting network intrusions, and therefore avoid having to report them.
The Homeland Security Committee is one of many on Capitol Hill that is currently considering pieces of legislation that would reform the government approach to cybersecurity.
Besides the legislative text the White House submitted, a tally assembled by Hathaway puts the number of bills under active consideration at 10 on the Senate side alone. There are eight more in the House.