Commerce Secretary to Industry: Don’t Let Cyber Report Collect Dust

Commerce Secretary Penny Pritzker threw her voice Tuesday behind efforts to ensure a slate of cybersecurity proposals released this month lasts beyond the end of the Obama administration.

Pritzker called on industry representatives to “ensure these recommendations are not just considered but that they are enacted and implemented” and to “ensure that this report does not wind up collecting dust” during an event sponsored by the USTelecom industry association.

Pritzker did not make a direct appeal to the incoming Trump administration, which will have the greatest power to implement or ignore the more than 50 action items included in the Dec. 1 report from the Commission on Enhancing National Cybersecurity. The Obama administration formed the commission in the wake of the Office of Personnel Management breach.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Commissioners briefed President Barack Obama about the report Thursday and are waiting for the Trump transition team to reach out and schedule a briefing, commission Executive Director Kiersten Todt said during the same event.

Obama praised the report and urged the Trump transition team to request a briefing on Friday.

Pritzker praised the report’s focus on creating market incentives for companies to improve cybersecurity rather than forcing cyber protections through regulation.

Companies are currently wary of sharing vital cyber threat information with government for fear of punishment, Pritzker said.

“The problem is that, today, relationships between regulators and businesses they regulate are inherently adversarial, not collaborative,” she said. “We cannot blame executives for worrying that what starts today as an honest conversation about a cyber threat could end tomorrow in a ‘punish the victim’ enforcement action.”

The commission report does envision new cybersecurity regulations for “life-critical” systems such as internet-connected components of cars and medical devices.

The report also contemplates regulation if market forces don’t produce good cybersecurity outcomes on their own, as noted in a Tuesday post on the Lawfare blog by Commission member Herbert Lin, a senior research scholar for cyber policy and security at Stanford University.

Pritzker advocated what she called “reverse Miranda protections,” so companies that discuss cyber threats with the government can be assured “nothing you say in this setting will be used against you.”

The term is a play on the 1966 Supreme Court decision guaranteeing criminal suspects are informed of their right to legal counsel before police questioning and, as it’s often rendered in popular culture, that “anything you say may be used against you in a court of law.”

There are already procedures for such reverse-Miranda conversations for many companies in sectors deemed critical infrastructure, Pritzker said, but Congress may need to pass new laws allowing companies in other sectors to have such conversations.

One major venue for those conversations is the Critical Infrastructure Partnership Advisory Council. Sharing such information is often onerous, industry officials complained during a panel discussion at the same event.

“I’ll just say it’s not an easy process to use and it takes two to tango,” said Heather Hogsett, vice president of technology and risk strategy at BITS, the tech policy division of the Financial Services Roundtable industry association.

“I think [financial sector] folks are willing to come to the table and have that conversation," she said. "They just haven’t been met with the same sense of urgency and willingness to have a really meaningful and ongoing dialogue on the other end all the time."

“There are mechanisms out there to have those kinds of conversations,” said Christopher Boyer, assistant vice president of global public policy at AT&T. “Whether or not we’ve been able to successfully implement that is a whole other issue. There’s been resistance.”