recommended reading

Obama cybersecurity enforcement plan could backfire, senator warns

A key lawmaker assessing a White House bill to strengthen cybersecurity warned that the proposal's plan for policing critical commercial networks -- by disclosing audits of their security practices -- could inadvertently steer U.S. adversaries to vulnerable targets.

"The evaluation of that [company's security] plan would be publicly accessible," Sen. Susan Collins, R-Maine, ranking member of the Homeland Security and Governmental Affairs Committee, said at a hearing Monday. "We don't want to give those that would do us harm a roadmap on to how to attack our critical infrastructure."

On May 12, the White House delivered to Congress 52 pages of legislative text spelling out the Obama administration's position on nearly all the sticking points that for the past year have prevented lawmakers from passing a cybersecurity bill.

The panel's chairman, Connecticut independent Joe Lieberman, and Collins -- despite her criticism -- have introduced wide-ranging cyber legislation that largely dovetails with the executive branch's ideas. One of the exceptions is the regulation of critical infrastructure systems, or networks such as power grids that, if attacked, could devastate the economy or harm public safety. The private sector operates the majority of such cyberspace services.

The administration's proposal takes the light-handed approach of publicly naming companies that fail in independent inspections of their network protections -- instead of shutting down their networks or fining them.

"The biggest lever here would be transparency," said Philip Reitinger, the top cybersecurity policy official at the Homeland Security Department. He stressed that the purpose of the openness is not just to shame companies into compliance, but also to let the financial markets and customers take into account a firm's privacy and security protections.

Added Ari Schwartz, senior Internet policy adviser for the National Institute of Standards and Technology, "If they do it deadly wrong, you're going to have brand impact potentially." The White House text also offers a carrot: Companies with stellar cyber records could be given preference in competitions for federal business contracts.

Collins argued that the Obama strategy could have the opposite effect of directing terrorists to a company's cyberspace Achilles' heel. "Aren't you providing very valuable information to not only cybercriminals but perhaps terrorists groups or nation states that are constantly trying to probe our systems?" she asked. " I'm really surprised that you want that to be public."

She urged administration officials to find a tactic different from the "name and shame approach" -- such as one that relies on internal enforcement.

"If they are not doing a good job, then DHS goes in and applies sanctions or requires a better security plan," Collins suggested. "I understand what you are trying to do, but I think you are also giving information to the enemy."

Lieberman recommended the White House include liability protections for the private sector as an additional incentive to cooperate. "This could unfortunately end up as a real obstacle -- the failure to do something about liability -- to the passage of the bill," he said.

If the information provided to the market is "sufficient to cause a business to no longer do business with that entity, it's sufficient to wave a red flag at those who would do us harm," Collins said. "I don't think you can have it both ways .. . . If the vulnerability that is revealed or the poor evaluation that is published is sufficient to cause other commercial entities to refrain from doing business with this section of critical infrastructure, then surely it's going to be sufficient to prompt a computer hacker or terrorist group or Russia or China to redouble its efforts."

Reitinger, who plans to retire on June 3, said he understood the senator's concerns and that the rules would require that "information not be reported to such detail that it would impair the security of that entity."

He continued, "If the publication of the results [of the audit] causes such entities to say we need to do a better job, than the regime is going to have the effect that we intend."

As Nextgov was first to report, the stipulations for critical infrastructure networks do not apply to so-called national security systems. The president, not Homeland Security, would set policies for such services, which handle intelligence communications and classified information, as well as command and control of military forces.

Schwartz, who previously worked as a privacy advocate with the Center for Democracy and Technology, a civil liberties group, said the administration is very willing to work with the committee on tweaking the penalties in the legislation.

"We don't claim to have everything in perfect alignment or balance in terms of these levers," he said.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.