Hearing highlights disagreement over cybersecurity incentives vs. regulation

Even as Congress takes up broad cybersecurity legislation, witnesses at a House subcommittee hearing highlighted lingering disagreement over just how to reduce cyber threats.

Laws and regulations have not kept up with the growing problem, the Center for Strategic and International Studies' James Lewis told the House Energy and Commerce panel's Subcommittee on Communications and Technology.

"This is largely a political problem. Our policies and our laws are inadequate," he said. "We now know how to reduce risk on networks, but we have chosen not to do so."

The Senate is expected to introduce broad cybersecurity legislation any day. The House, meanwhile, plans to develop cybersecurity responses in a range of individual committees, including the Energy and Commerce Committee.

Businesses have pushed for more federal help in combating cyber threats but favor incentives over regulation. Internet Security Alliance President Larry Clinton says the real problem is that companies are paying more than their fair share to prevent cyberattacks.

"Traditional approaches, including federal regulation, will not solve the problem as it will be largely reactive and not stay ahead of the changing nature of the threat," Clinton said in written testimony. "Worse, bad regulation could be counterproductive, leading companies to expend their limited resources on building in-house efforts to meet regulatory demands over actually dealing with the threat proactively. Fundamental to stopping the advanced cyber threat is to understand that our biggest problems are not technological, but economic."

Subcommittee Chairman Greg Walden, R-Ore., said he fears that American communication networks are "under siege" while countermeasures continue to lag.

"Every month, we learn more about these cyber threats. And what we have learned thus far worries me," he said. "I am worried that our cyber defenses are not keeping pace with the cyber threats."

Any approach to cyber defense will require efforts by both the private and public sectors, said the panel's ranking member, Rep. Anna Eshoo, D-Calif.

"I'm well aware of the threat--not just from criminal hackers but also from other countries," said Eshoo, who has served on the House Intelligence Committee as well. "But talking about the problem is not enough. We need to act, and that requires the help of both the private sector and the federal government. The private sector represents 95 percent, and the government really represents 5 percent."

The House bills so far include one from the Intelligence Committee that would increase public-private information sharing and incentives for businesses; and one from the Homeland Security Committee that clarifies federal authority to regulate cybersecurity as well as ensure information sharing.