Businesses urged to share more information on cyber threats

The top counterterrorism official at the Homeland Security Department on Tuesday called on businesses to cooperate more with government when hit by hackers.

"Let's face it -- cybersecurity primarily is a civilian space -- it is used mostly by businesses, but it is tied closely to national security," said Rand Beers, undersecretary for the National Protection and Programs Directorate, during a conference in Washington sponsored by antivirus company Symantec. "This requires us to share information both within government, between governments and with the private sector. It needs to be a two-way street."

The White House in May presented Congress with 52 pages of legislative text that would subject private networks to more regulation. The proposal details the role DHS would play in ensuring businesses that operate networks that sustain life-critical infrastructure -- power, water treatment and financial services -- are meeting security standards.

But some businesses are critical of plans to step up oversight of commercial networks, while some military proponents say the National Security Agency, the Pentagon's cyber arm, should take the lead on network defense. Beers said the proposal would solidify the role of DHS as head of cybersecurity operations governmentwide and as adviser to the private sector on network protection.

He stressed that companies largely would be left to their own devices to safeguard systems. "Together with industry, DHS will identify the [most critical] infrastructure and then DHS will specify the risks that industries need to mitigate through a public rule-making process," he said. Businesses then would be allowed to develop risk-mitigation plans that meet their needs. "It is industry, not government, that will provide the solutions under this proposal," Beers added.

And he noted that the government will not punish companies for disobeying the rules. "Instead of fines or penalties, DHS will use transparency," by disclosing the names of firms that are not up to par, "and market forces to incentivize compliance with this regime," Beers said. Any information published about noncompliant companies would be limited to very general descriptions so as not to reveal vulnerabilities, he said.

Some industry groups have expressed concern that a prescriptive law could meddle with a company's ability to deploy the most appropriate protections.

"We encourage Congress to draw a bright line between critical and noncritical infrastructure," TechAmerica President Phil Bond testified last month before a House panel. "It is essential that organizations be able to effectively combat all threats; however, they will not be able to do so if they have static defenses in place that are focused primarily on compliance measures."

Senate leaders are proponents of the idea that DHS should drive cyber operations across government and industry. "Everyone who is not intimately tied with NSA believes DHS is up for the task," Tommy Ross, senior intelligence and defense adviser for Senate Majority Leader Harry Reid, D-Nev., told Nextgov at the event. He acknowledged that some in the defense arena feel Homeland Security does not have a strong enough budget or track-record on combating cyber threats to match the Pentagon's capabilities.

The chamber also stands firm on the need to establish a Senate-confirmed White House cybersecurity coordinator, Ross said. The White House did not ask for such a position in its legislative proposal, but "they will get one," he said. Obama appointed the current White House cyber czar, Howard Schmidt, without seeking Senate approval.

In addition, senators want to expand the authorities of the cyber coordinator to resemble the supervisory functions of the director of national intelligence, Ross said.

Rep. Mac Thornberry, who is steering cyber legislation through House committees, "recognizes that DHS will play a role" in shoring up government and private network defenses, but the specifics of that role are still being negotiated by the panels, Michael Seeds, legislative director for the Texas Republican, told Nextgov at the symposium.