Analysis: While Congress dithers, cyber threats grow greater

J. Scott Applewhite/AP

Two experts offer three essential elements of effective cybersecurity legislation.

Cybersecurity is an urgent priority -- national and economic security are at stake -- yet we do not yet have in place the legislation needed to deal with the threat. From network attacks to network exploitation the threat is real and emanates from a range of sources, including China, Russia, Iran and North Korea, transnational criminal organizations, and hackers for hire. Now is the time to act, while cooler heads can prevail, rather than after a significant cyber event or in the heat of a crisis, when more draconian measures and outcomes may result. There are now multiple bills before Congress, including the Cybersecurity Act, the SECURE IT Act, the Cyber Intelligence Sharing and Protection Act, which passed the House in April, as well as the compromise framework led by Sens. Sheldon Whitehouse, D-R.I., and Jon Kyl, R-Ariz. Senate Majority Leader Harry Reid may soon bring yet another bill to the floor. Given this proliferation of proposals we thought it would be useful to offer some key concepts -- namely the most important pieces of these various bills -- that could serve as primary areas of focus and minimum baselines for any bipartisan bill. Those concepts are:

Effective Information-Sharing. Situational awareness, founded on threat-related intelligence and information-sharing, is crucial. This was one of the key lessons learned in the counterterrorism realm in the wake of 9/11. Yet the cybersecurity community has not reached a matching level of maturity. Its current state is akin to where the counterterrorism community found itself shortly after 9/11. Elements of the intelligence provisions in the Cyber Intelligence Sharing and Protection Act or something similar that addresses this aspect of cyber security is sorely needed. It's unrealistic to expect private entities to defend themselves against network exploitation attacks perpetrated by foreign intelligence services. Moreover, the federal government has a responsibility to share threat information (i.e. signatures, hostile plans and techniques to degrade, disrupt or destroy systems) that places our critical infrastructures at risk. The pilot program introduced within the confines of the defense industrial base offers a solid starting point and example of a promising information-sharing environment. We should build on this by extending the DIB program to other critical infrastructure sectors.

Critical Infrastructure Standards. Owners and operators of critical infrastructure should be called upon to define and implement standards and best practices. Since owners and operators know the intricacies and vulnerabilities of their sectors better than anyone else, this self-initiated approach will ensure that standards are customized and effective while avoiding unnecessary or duplicative regulation. Industry stakeholders should embark upon this task with appropriate support from regulatory authorities who have existing relationships with the relevant sectors (as is the case in the energy sector, for example). Often these stakeholders have already addressed similar risks and built relationships that can be leveraged to make quick work of creating cyber standards and market certainty.

Third-Party Enforcement Mechanism. A trusted third party could ensure compliance with standards and best practices by granting a “Good Housekeeping” seal of approval to critical infrastructures that meet the bar. This will lead to industrywide adoption and robust outcomes. (Setting time limits, within which critical sectors could determine their own destiny by meeting the standards, could help focus minds and spur needed action). Addressing the behavioral dimension through management best practices (beyond simply the technical dimension) could spur the insurance and reinsurance sectors to step into the fray. Taking a carrot-and-stick approach, we would further argue that those companies that meet the bar should be provided incentives, including tax breaks, priority in government contracting opportunities, and indemnification of liability, allowing those who have done what has been asked of them to avoid costly litigation.

Opinions on the existing bills are deeply divided. Nor is there consensus on what a comprehensive solution should look like. Accordingly, we would make the case for legislation that takes the above steps as a first move forward in the right direction. Action along these lines would be a good initial step and would be a great deal better than the inaction and paralysis that currently prevails. It’s important to bear in mind that there is a reason that “critical infrastructure” is so-called. It may lie largely in private hands, but it performs functions that are crucial to national security and other fundamental ends. This is not to say that critical infrastructure as a whole is homogenous. To the contrary, it includes diverse sectors such as finance and banking, telecommunications and energy. There are many permutations of technology by sector and it’s unlikely that one bill or remedy will address satisfactorily all of the stakeholders involved, either from a technical or political perspective. Discussing the viability of such a bill has delayed the process at least three years and resulted in nothing being done legislatively. Now is the time to provide strong guidance for these critical sectors that the nation cannot afford to see compromised under any circumstance.

Perhaps the best place to start is with the energy, water, emergency services (to include supporting communications), transportation and healthcare sectors. These are the must-haves that are critical to the survivability of society. The good news is that the legislation can pivot off some of the work already done in these sectors and in the energy sector in particular. Though not particularly known for its innovative use of technology, the energy sector moved out early on in terms of cybersecurity and possesses a good bit of experience with both the risks and repercussions of what happens when the lights go out, be it from natural disasters or other causes. Customers grow angry, their revenues decline and regulators intercede. Against this background multiple stakeholders worked together to assess risks and set standards to mitigate those risks -- thereby creating certainty in the marketplace and a management roadmap for industry. In addition, the sector created an information-sharing environment by which cyber situational awareness can be maintained throughout the sector. The key question now is how to build upon this small success and create certainty from which to build in other markets.

If multiple stakeholders could agree on such a legislative approach we as a country would be able to begin to address our risk before we are forced to do so by events. A spirit and practice of genuine public-private partnership is sorely needed. It is not difficult to imagine what harm could be wrought by bad actors with command of cyber skills and little regard for human life. At the end of the day, what is paramount is to protect and maintain the trust and confidence of the American people. That should serve as motivation enough to get us to where we need to be, or at least to a first but important step down that path. Put bluntly, Congress has a responsibility to take us there.

Frank Cilluffo is Director of the George Washington University Homeland Security Policy Institute. Andrew Robinson is Senior Vice President of ICF International.