Obama cybersecurity enforcement plan could backfire, senator warns

'Name and shame' approach to motivating companies to enhance security might actually steer enemies to U.S. targets, says Collins.

A key lawmaker assessing a White House bill to strengthen cybersecurity warned that the proposal's plan for policing critical commercial networks -- by disclosing audits of their security practices -- could inadvertently steer U.S. adversaries to vulnerable targets.

"The evaluation of that [company's security] plan would be publicly accessible," Sen. Susan Collins, R-Maine, ranking member of the Homeland Security and Governmental Affairs Committee, said at a hearing Monday. "We don't want to give those that would do us harm a roadmap on to how to attack our critical infrastructure."

On May 12, the White House delivered to Congress 52 pages of legislative text spelling out the Obama administration's position on nearly all the sticking points that for the past year have prevented lawmakers from passing a cybersecurity bill.

The panel's chairman, Connecticut independent Joe Lieberman, and Collins -- despite her criticism -- have introduced wide-ranging cyber legislation that largely dovetails with the executive branch's ideas. One of the exceptions is the regulation of critical infrastructure systems, or networks such as power grids that, if attacked, could devastate the economy or harm public safety. The private sector operates the majority of such cyberspace services.

The administration's proposal takes the light-handed approach of publicly naming companies that fail in independent inspections of their network protections -- instead of shutting down their networks or fining them.

"The biggest lever here would be transparency," said Philip Reitinger, the top cybersecurity policy official at the Homeland Security Department. He stressed that the purpose of the openness is not just to shame companies into compliance, but also to let the financial markets and customers take into account a firm's privacy and security protections.

Added Ari Schwartz, senior Internet policy adviser for the National Institute of Standards and Technology, "If they do it deadly wrong, you're going to have brand impact potentially." The White House text also offers a carrot: Companies with stellar cyber records could be given preference in competitions for federal business contracts.

Collins argued that the Obama strategy could have the opposite effect of directing terrorists to a company's cyberspace Achilles' heel. "Aren't you providing very valuable information to not only cybercriminals but perhaps terrorists groups or nation states that are constantly trying to probe our systems?" she asked. " I'm really surprised that you want that to be public."

She urged administration officials to find a tactic different from the "name and shame approach" -- such as one that relies on internal enforcement.

"If they are not doing a good job, then DHS goes in and applies sanctions or requires a better security plan," Collins suggested. "I understand what you are trying to do, but I think you are also giving information to the enemy."

Lieberman recommended the White House include liability protections for the private sector as an additional incentive to cooperate. "This could unfortunately end up as a real obstacle -- the failure to do something about liability -- to the passage of the bill," he said.

If the information provided to the market is "sufficient to cause a business to no longer do business with that entity, it's sufficient to wave a red flag at those who would do us harm," Collins said. "I don't think you can have it both ways .. . . If the vulnerability that is revealed or the poor evaluation that is published is sufficient to cause other commercial entities to refrain from doing business with this section of critical infrastructure, then surely it's going to be sufficient to prompt a computer hacker or terrorist group or Russia or China to redouble its efforts."

Reitinger, who plans to retire on June 3, said he understood the senator's concerns and that the rules would require that "information not be reported to such detail that it would impair the security of that entity."

He continued, "If the publication of the results [of the audit] causes such entities to say we need to do a better job, than the regime is going to have the effect that we intend."

As Nextgov was first to report, the stipulations for critical infrastructure networks do not apply to so-called national security systems. The president, not Homeland Security, would set policies for such services, which handle intelligence communications and classified information, as well as command and control of military forces.

Schwartz, who previously worked as a privacy advocate with the Center for Democracy and Technology, a civil liberties group, said the administration is very willing to work with the committee on tweaking the penalties in the legislation.

"We don't claim to have everything in perfect alignment or balance in terms of these levers," he said.