recommended reading

Obama cybersecurity enforcement plan could backfire, senator warns

A key lawmaker assessing a White House bill to strengthen cybersecurity warned that the proposal's plan for policing critical commercial networks -- by disclosing audits of their security practices -- could inadvertently steer U.S. adversaries to vulnerable targets.

"The evaluation of that [company's security] plan would be publicly accessible," Sen. Susan Collins, R-Maine, ranking member of the Homeland Security and Governmental Affairs Committee, said at a hearing Monday. "We don't want to give those that would do us harm a roadmap on to how to attack our critical infrastructure."

On May 12, the White House delivered to Congress 52 pages of legislative text spelling out the Obama administration's position on nearly all the sticking points that for the past year have prevented lawmakers from passing a cybersecurity bill.

The panel's chairman, Connecticut independent Joe Lieberman, and Collins -- despite her criticism -- have introduced wide-ranging cyber legislation that largely dovetails with the executive branch's ideas. One of the exceptions is the regulation of critical infrastructure systems, or networks such as power grids that, if attacked, could devastate the economy or harm public safety. The private sector operates the majority of such cyberspace services.

The administration's proposal takes the light-handed approach of publicly naming companies that fail in independent inspections of their network protections -- instead of shutting down their networks or fining them.

"The biggest lever here would be transparency," said Philip Reitinger, the top cybersecurity policy official at the Homeland Security Department. He stressed that the purpose of the openness is not just to shame companies into compliance, but also to let the financial markets and customers take into account a firm's privacy and security protections.

Added Ari Schwartz, senior Internet policy adviser for the National Institute of Standards and Technology, "If they do it deadly wrong, you're going to have brand impact potentially." The White House text also offers a carrot: Companies with stellar cyber records could be given preference in competitions for federal business contracts.

Collins argued that the Obama strategy could have the opposite effect of directing terrorists to a company's cyberspace Achilles' heel. "Aren't you providing very valuable information to not only cybercriminals but perhaps terrorists groups or nation states that are constantly trying to probe our systems?" she asked. " I'm really surprised that you want that to be public."

She urged administration officials to find a tactic different from the "name and shame approach" -- such as one that relies on internal enforcement.

"If they are not doing a good job, then DHS goes in and applies sanctions or requires a better security plan," Collins suggested. "I understand what you are trying to do, but I think you are also giving information to the enemy."

Lieberman recommended the White House include liability protections for the private sector as an additional incentive to cooperate. "This could unfortunately end up as a real obstacle -- the failure to do something about liability -- to the passage of the bill," he said.

If the information provided to the market is "sufficient to cause a business to no longer do business with that entity, it's sufficient to wave a red flag at those who would do us harm," Collins said. "I don't think you can have it both ways .. . . If the vulnerability that is revealed or the poor evaluation that is published is sufficient to cause other commercial entities to refrain from doing business with this section of critical infrastructure, then surely it's going to be sufficient to prompt a computer hacker or terrorist group or Russia or China to redouble its efforts."

Reitinger, who plans to retire on June 3, said he understood the senator's concerns and that the rules would require that "information not be reported to such detail that it would impair the security of that entity."

He continued, "If the publication of the results [of the audit] causes such entities to say we need to do a better job, than the regime is going to have the effect that we intend."

As Nextgov was first to report, the stipulations for critical infrastructure networks do not apply to so-called national security systems. The president, not Homeland Security, would set policies for such services, which handle intelligence communications and classified information, as well as command and control of military forces.

Schwartz, who previously worked as a privacy advocate with the Center for Democracy and Technology, a civil liberties group, said the administration is very willing to work with the committee on tweaking the penalties in the legislation.

"We don't claim to have everything in perfect alignment or balance in terms of these levers," he said.

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.