Cybersecurity regs seen as less restrictive in the U.S.

A smaller percentage of executives in U.S. industries considered to be critical infrastructure believe they are subject to cybersecurity regulations than do their global counterparts, according to a report released today.

In the U.S., 72 percent of executives surveyed said their cybersecurity efforts were subject to regulations, compared with 92 percent in China and Germany, 97 percent in India, and 86 percent overall, according to the report commissioned by McAfee and authored by the Center for Strategic and International Studies.

In addition, those executives most often identified the United States as the one country other than their own that was a model for cybersecurity. Some 44 percent of the executives see the U.S. that way, the report states.

The report said business executives rarely ask for more regulation, but they are concerned about:

• A lack of confidence in government’s understanding of how critical infrastructure sectors work.
• The possibility that clumsy regulation could hamper security.
• The risk that mandatory disclosure of computer security incidents could drive policy and resources in the wrong directions.

The survey gathered anonymous answers from 600 executives in 14 countries who work in seven sectors that involve critical infrastructure, including electrical grids, oil and gas production, telecommunications, and transportation networks. One hundred of the respondents were based in the United States; 50 each were in Japan, China, Germany, France, the United Kingdom and Italy; 30 each were in Russia, Spain, Australia, Brazil, Mexico and India; and 20 were in Saudi Arabia. Market research company Vanson Bourne conducted the survey in September 2009.

Overall, participation in government-led partnership initiatives was found to be low. Thirty-five percent of respondents said their organization was involved in a government/private-sector partnership, but that percentage varied greatly by country: 61 percent in China, 42 percent in the U.S. and 22 percent in Brazil.

Meanwhile, 49 percent of executives reported being audited by a government agency for compliance with cybersecurity laws or regulations. Those rates also varied widely by country, with China at 83 percent, Saudi Arabia at 73 percent, Russia at 30 percent and Spain at 32 percent.

Stewart Baker, one of the report's authors and a former assistant secretary for policy at the Homeland Security Department, said the survey shows that the critical infrastructure for the oil and gas sector was a leading target of various types of cyberattacks. Industry executives estimated that, on average, a day of downtime caused by a major attack would cost one of their organizations $8.4 million, compared with the overall average projection for all sectors of $6.3 million for a day of downtime.

The survey also found that two-fifths of executives expected a major cybersecurity incident – one that lasts for 24 hours or causes someone to die or a company to fail – in the next year, and 80 percent expected an incident in the next five years.

Adam Rice, global chief security officer and vice president of managed security services at Tier 1 Internet service provider Tata Communications, said the results were troubling but not surprising.

Sue Armstrong, deputy assistant secretary for infrastructure protection at DHS, said the report underscored the dependence of physical critical infrastructure on cyber networks. Security is a shared responsibility between government and industry, she said, and there is a need to encourage public/private partnerships under DHS’ National Infrastructure Protection Plan (NIPP).

“We need to recognize that industry is the thing that is going to keep and push the U.S. government to be nimble and innovative,” Armstrong said.

NIPP is the national framework through which federal agencies, nonfederal authorities and the private sector collaborate to protect the country's most critical infrastructure and key resources from terrorist attacks, natural disasters and other incidents.