Critics Rip White House Cybersecurity Proposal

Tuesday, June 28, 2011



The Obama administration delivered a long-awaited comprehensive cybersecurity strategy to Congress in May, but the document has only been given a lukewarm reception by industry groups and security experts.

The proposal was the culmination of over two years of effort by the White House to finish laying the groundwork for the protection of critical infrastructure in the face of increased threats posed by attacks on both public and private sector networks.

While several information security and regulatory interest groups have lauded the administration for finally producing the much-touted plan of action, the general consensus is that the strategy is lacking in depth and breadth.

Major challenges in drafting the proposal included how to best prioritize federal security initiatives, defining the government's role in protecting and regulating private sector networks which administer the majority of the nation's critical systems, and protect privacy and civil liberties in the process.

At this week's Congressional hearings held by the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Committee on Homeland Security, several concerned parties testified on the Obama plan, including former acting federal cybersecurity chief Melissa Hathaway and the Internet Security Alliance's Larry Clinton.

"The administration's proposal had the opportunity to engage the private sector to inform the debate and the items within the proposal. But during the course of their review, they did not engage the private sector. That's why it's so important that this committee and other committees understand the second and third order effects of regulation and other market levers," said Hathaway.

The problem lies in that the administration's proposal is long on defining federal authority, but short on providing incentives for the private sector to make the necessary investments in security technology and best practices.

"The proposal attempts to establish a minimum standard of care and an audit and certification function similar to the Securities and Exchange Commission requirement for attestation of material risk. In my view, inserting DHS into a regulatory role in this context could dilute its operational and policy responsibilities and likely distract from the nation's security posture," Hathaway said.

Events such as the Night Dragon attacks, operation Aurora, and the emergence of the Stuxnet Virus provide substantial impetus for the government to redouble efforts to secure critical infrastructure systems.

"There's currently an opinion—in the press anyway—that when you've been breached, that's a significant incident. In the modern world with modern attacks, virtually everybody gets breached. If you're going to have these advanced persistent threat guys come after you, they're going to get into your system. If you're going to make that the line, and then you're subject to some of these name-and-shame penalties, I think that would be a mistake," said Clinton.

The ISA represents major corporations from the Aviation, Banking, Communications, Defense, Education, Financial Services Insurance, Manufacturing, Technology and Security industries. ISA’s mission is to integrate advanced technology with economics and public policy to create a sustainable system of cyber security.

The ISA strongly advocates that the federal government should not concentrate on regulation to further security, but instead should provide the necessary market incentives to drive the private sector to innovate when it comes to defending against advanced persistent threats.

"They [hackers] go in your system and they hide. It's very difficult to find these guys. We should be providing incentives for companies to go and look for them. If a corporation knows that the harder they look, the more likely it is they'll be named and shamed for finding them, we've created exactly the wrong incentives. It would be much better if companies were proactively incented so that they wanted to go find these guys, because they would lower their liability, lower their insurance rates and have a better chance at federal contracts," Clinton concludes.


Watch Larry Clinton's video interview with Anthony M. Freed conducted at the RSA Conference HERE

Possibly Related Articles:
Government Internet Security Alliance Cyber Security Headlines Obama Network Security Congress National Security Larry Clinton Melissa Hathaway
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.