Computer Crime Research Center


Businesses to Congress: An industry-led approach to cybersecurity can succeed

Date: July 27, 2015
Source: Computer Crime Research Center

The Senate is nearing its first major cybersecurity debate since 2012, opening the floodgates for amendments on issues ranging from consumer data-breach notification requirements to the security of federal computer networks.

There is tremendous pent-up demand among senators to weigh in on cyber policy after years of costly hacks and chilling cyber attacks.

Majority Leader Mitch McConnell, R-Ky., hasn't announced his plans, and some senators are clamoring for an early start to the August recess.

But a growing chorus of senators say the Cyber Intelligence and Sharing Act, or CISA, will come to the floor next week and be the last matter of significant business before the summer break.

The substance of the information-sharing bill produced by Senate Intelligence Chairman Richard Burr, R-N.C., and ranking member Dianne Feinstein, D-Calif., will be debated, particularly around whether it would adequately protect privacy rights and civil liberties.

But that will be just a start.

Last week, a bipartisan group of senators announced they would offer an amendment to address the breaches at the Office of Personnel Management by giving the Department of Homeland Security clear, direct authority to drive cybersecurity upgrades at other agencies.

Some senators believe they already did that in legislation signed into law last year called the Federal Information Security Modernization Act.

"I'm glad to see my colleagues engaged on such an important issue," Sen. Tom Carper, D-Del., said in a statement. "It's my understanding that this legislation attempts to build on the FISMA modernization bill that the Homeland Security and Governmental Affairs Committee worked so hard to pass last year. I look forward to reviewing the bill and working with all the sponsors on improving security of our federal networks, including overseeing the implementation of my FISMA legislation that became law in December."

Sen. Sheldon Whitehouse, D-R.I., wants to push an amendment creating a national consumer breach notification requirement, and another strengthening criminal law to fight cyber crooks.

There could be attempts to put in some mandatory cybersecurity requirements for industry, including a possible amendment by Sen. Susan Collins, R-Maine, to require companies in designated "critical infrastructure" sectors to report attempted cyber breaches.

But there almost certainly won't be any serious efforts to attach mandatory security performance standards for industry, unlike the last time the Senate ventured into cyberspace.

The main Senate vehicle on cybersecurity in 2012 was a bill by Collins and then-Sen. Joseph Lieberman that included security requirements for operators of critical infrastructure including power plants and gas pipelines.

Despite Collins' presence on that bill, it generated broad opposition from Republicans who rallied around an alternative by Sen. John McCain, R-Ariz.

Ultimately, the Lieberman-Collins bill was blocked on the floor and the McCain alternative died with it.

Now, some key elements of the McCain proposal on information sharing are back in play, while the idea of setting rigorous security rules for industry is off the table. Collins' reporting requirement proposal is probably the closest this debate gets to discussing government controls on industry.

A key reason why? A framework of cybersecurity standards, released 18 months ago by the National Institute of Standards and Technology, has become the main point of interaction between government and industry.

The Gaithersburg-Md.-based agency has a strong reputation on Capitol Hill, and its framework has nurtured a powerful response in the business sector, which is eager to demonstrate that a voluntary, industry-led approach to cybersecurity can succeed.

"I think it will continue to play the chief organizing role," said one trade association lobbyist. "The framework embodies the key business security risk management principle. It's probably the best thing government has done in this space. And we're only going to be successful in this space if business is enthusiastic about it."

Financial, manufacturing, energy, transportation and many other industry sectors have mapped their cybersecurity policies to the framework.

"Industry is farther along than I thought they'd be 18 months ago," NIST's Adam Sedgewick said in an interview with "They reach out to us and show us how they're using the framework."

NIST is also spending an extensive amount of time speaking with colleagues in government about the purpose of the framework and its voluntary nature.

"People wrapped themselves around the axle about the regulatory threat," said an energy-sector source. "That wasn't the intent and it didn't happen."

"A lot of our message to government folks — whether they are regulators or not — is that making something mandatory actually moves it out of security operations and into the compliance mode," said Matthew Barrett, NIST's framework program manager.

There are lingering questions, even among industry groups.

"The metrics are unclear on who's implementing the framework or how it's being implemented," a technology industry source said. "I'm not sure we've determined what success looks like."

NIST puts the question this way, according to Barrett: "Has this helped you improve risk management and security?"

Congress late last year ordered the Government Accountability Office to report on the uses and effectiveness of the framework. That report is due at the end of the year.

For now, most lawmakers seem satisfied to supplement the framework-driven, voluntary approach with additional tools such as enhanced information sharing.

The Senate debate may veer in any number of directions, but thanks in part to the credibility of NIST's handiwork, it almost certainly won't bog down in an old-time debate over regulation.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo