Analysis: While Congress dithers, cyber threats grow greater

Two experts offer three essential elements of effective cybersecurity legislation.

Cybersecurity is an urgent priority -- national and economic security are at stake -- yet we do not yet have in place the legislation needed to deal with the threat. From network attacks to network exploitation the threat is real and emanates from a range of sources, including China, Russia, Iran and North Korea, transnational criminal organizations, and hackers for hire. Now is the time to act, while cooler heads can prevail, rather than after a significant cyber event or in the heat of a crisis, when more draconian measures and outcomes may result. There are now multiple bills before Congress, including the Cybersecurity Act, the SECURE IT Act, the Cyber Intelligence Sharing and Protection Act, which passed the House in April, as well as the compromise framework led by Sens. Sheldon Whitehouse, D-R.I., and Jon Kyl, R-Ariz. Senate Majority Leader Harry Reid may soon bring yet another bill to the floor. Given this proliferation of proposals we thought it would be useful to offer some key concepts -- namely the most important pieces of these various bills -- that could serve as primary areas of focus and minimum baselines for any bipartisan bill. Those concepts are:

Effective Information-Sharing. Situational awareness, founded on threat-related intelligence and information-sharing, is crucial. This was one of the key lessons learned in the counterterrorism realm in the wake of 9/11. Yet the cybersecurity community has not reached a matching level of maturity. Its current state is akin to where the counterterrorism community found itself shortly after 9/11. Elements of the intelligence provisions in the Cyber Intelligence Sharing and Protection Act or something similar that addresses this aspect of cyber security is sorely needed. It's unrealistic to expect private entities to defend themselves against network exploitation attacks perpetrated by foreign intelligence services. Moreover, the federal government has a responsibility to share threat information (i.e. signatures, hostile plans and techniques to degrade, disrupt or destroy systems) that places our critical infrastructures at risk. The pilot program introduced within the confines of the defense industrial base offers a solid starting point and example of a promising information-sharing environment. We should build on this by extending the DIB program to other critical infrastructure sectors.

Critical Infrastructure Standards. Owners and operators of critical infrastructure should be called upon to define and implement standards and best practices. Since owners and operators know the intricacies and vulnerabilities of their sectors better than anyone else, this self-initiated approach will ensure that standards are customized and effective while avoiding unnecessary or duplicative regulation. Industry stakeholders should embark upon this task with appropriate support from regulatory authorities who have existing relationships with the relevant sectors (as is the case in the energy sector, for example). Often these stakeholders have already addressed similar risks and built relationships that can be leveraged to make quick work of creating cyber standards and market certainty.

Third-Party Enforcement Mechanism. A trusted third party could ensure compliance with standards and best practices by granting a “Good Housekeeping” seal of approval to critical infrastructures that meet the bar. This will lead to industrywide adoption and robust outcomes. (Setting time limits, within which critical sectors could determine their own destiny by meeting the standards, could help focus minds and spur needed action). Addressing the behavioral dimension through management best practices (beyond simply the technical dimension) could spur the insurance and reinsurance sectors to step into the fray. Taking a carrot-and-stick approach, we would further argue that those companies that meet the bar should be provided incentives, including tax breaks, priority in government contracting opportunities, and indemnification of liability, allowing those who have done what has been asked of them to avoid costly litigation.

Opinions on the existing bills are deeply divided. Nor is there consensus on what a comprehensive solution should look like. Accordingly, we would make the case for legislation that takes the above steps as a first move forward in the right direction. Action along these lines would be a good initial step and would be a great deal better than the inaction and paralysis that currently prevails. It’s important to bear in mind that there is a reason that “critical infrastructure” is so-called. It may lie largely in private hands, but it performs functions that are crucial to national security and other fundamental ends. This is not to say that critical infrastructure as a whole is homogenous. To the contrary, it includes diverse sectors such as finance and banking, telecommunications and energy. There are many permutations of technology by sector and it’s unlikely that one bill or remedy will address satisfactorily all of the stakeholders involved, either from a technical or political perspective. Discussing the viability of such a bill has delayed the process at least three years and resulted in nothing being done legislatively. Now is the time to provide strong guidance for these critical sectors that the nation cannot afford to see compromised under any circumstance.

Perhaps the best place to start is with the energy, water, emergency services (to include supporting communications), transportation and healthcare sectors. These are the must-haves that are critical to the survivability of society. The good news is that the legislation can pivot off some of the work already done in these sectors and in the energy sector in particular. Though not particularly known for its innovative use of technology, the energy sector moved out early on in terms of cybersecurity and possesses a good bit of experience with both the risks and repercussions of what happens when the lights go out, be it from natural disasters or other causes. Customers grow angry, their revenues decline and regulators intercede. Against this background multiple stakeholders worked together to assess risks and set standards to mitigate those risks -- thereby creating certainty in the marketplace and a management roadmap for industry. In addition, the sector created an information-sharing environment by which cyber situational awareness can be maintained throughout the sector. The key question now is how to build upon this small success and create certainty from which to build in other markets.

If multiple stakeholders could agree on such a legislative approach we as a country would be able to begin to address our risk before we are forced to do so by events. A spirit and practice of genuine public-private partnership is sorely needed. It is not difficult to imagine what harm could be wrought by bad actors with command of cyber skills and little regard for human life. At the end of the day, what is paramount is to protect and maintain the trust and confidence of the American people. That should serve as motivation enough to get us to where we need to be, or at least to a first but important step down that path. Put bluntly, Congress has a responsibility to take us there.

Frank Cilluffo is Director of the George Washington University Homeland Security Policy Institute. Andrew Robinson is Senior Vice President of ICF International.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.