A coalition of information technology and civil liberties organizations is trying to get ahead of congressional lawmakers and the Obama administration in forging a national cybersecurity policy.
Members of the coalition met with congressional staffers last week to brief them on the group’s just-released white paper on cybersecurity, “Improving our Nation’s Cybersecurity through the Public-Private Partnership.” The sponsoring organizations are the Business Software Alliance, The Center for Democracy and Technology, the Internet Security Alliance, TechAmerica, and the U.S. Chamber of Commerce.
“Our objective is to get our views to Congress and the administration as they formulate their positions,” said Larry Clinton, president of the Internet Security Alliance (ISA).
“Rather than wait and react to any specific piece of regulation or legislation, we’d like to be more proactive, so the information we provide can be considered during the policy development process,” he told the E-Commerce Times.
“We have taken a perspective that includes the full spectrum of IT players, including hardware and software companies, service providers, and even the civil liberties community,” noted Clinton. “Federal policy people often express frustration in trying to figure out how to reconcile the positions of various interest groups. Well, we’ve done that to a large degree.”
The coalition emphasizes three major goals in developing a national framework for cybersecurity: a public-private approach with a minimum of federal regulation; incentives for private sector participation; and protecting civil liberties.
Stick With Partnerships
The coalition contends that the current model of a cooperative cybersecurity partnership between government and business has worked reasonably well and should be continued — but that efforts need to be enhanced and improved. The group is concerned, however, that new policy initiatives would replace the current arrangement with an alternate system more reliant on government mandates directed at the private sector.
“This change of direction would both undermine the progress that has been made and hinder efforts to achieve lasting success,” says the coalition report.
For example, the Center for Strategic and International Studies (CSIS) issued a report in January calling for an extension of federal regulation into cybersecurity. It cites recent breaches of Defense Department Internet security, the Stuxnet virus, and rampant commercial incidents such as attacks on bank ATM systems, as examples of significant gaps in protection.
These breakdowns have occurred within the framework of a “voluntary, disaggregated approach based on information sharing and a public-private partnership at the center of cybersecurity policy,” notes CSIS.
The current approach is flawed, says CSIS, because it “assumes incorrectly” that private entities will share adequate amounts of information despite liability, antitrust and business competition risks. The existing system underestimates the difficulty of sharing classified information with the private sector and simply assumes that if all parties had adequate information about threats, they would take action.
CSIS urges adoption of a broader regulatory system.
While any mandates should not be overly burdensome, CSIS argues that the deficiencies in current controls stem from the lack of a comprehensive regulatory framework.
“One reason that many existing public-private partnerships in cybersecurity have contributed so little is that there is no regulatory backbone to give companies and agencies skin in the game,” says CSIS.
The Internet coalition takes the opposite view. “We know we have the tools to address 80 percent of the current level of cybersecurity attacks,” Clinton said. “So we don’t need to change the current voluntary partnership approach, but we do need to build on the current system and enhance it.”
Under the current system, cybersecurity protection has advanced, says the coalition, and the flexibility of the arrangement has promoted innovation and economic growth that could be stymied by a greater level of government regulation.
A Carrot for Business
In general, businesses are only interested in protecting against Internet breaches in terms of commercial costs and benefits, the coalition observes. Any required investment in cybersecurity that may enhance national security or promote some other social good — but which does not have a commercial payoff — constitutes an unnecessary financial burden.
“The national policy needs to recognize the difference between public sector and private sector goals and provide financial incentives for the commercial sector for implementing cybersecurity measures that aren’t directly beneficial to a business goal,” Clinton said.
The coalition proposed a “menu” of incentives that could be used by tech sector businesses:
- Tax incentives to encourage cybersecurity investments, such as the research and development tax credit;
- Federal grants similar to those used for emergency preparedness. Critical infrastructure industries could use grants for research, equipment purchasing and training;
- Expanding federal programs that provide a mix of marketing, insurance and liability benefits for technologies designated or certified by the Department of Homeland Security (DHS) to cover standards and practices, as well as technologies that protect against various threats;
- Improving or expanding liability protections for risks incurred in adopting cybersecurity measures;
- Stimulating the growth of a private cyber insurance industry that can provide economic incentives to spur greater protection, while creating a market mechanism that fosters adoption and compliance.
Big Brother Specter
The coalition also is wary of alternatives that would compromise Internet privacy, maintaining that government access to private data, somewhat euphemistically referred to as “information sharing,” should be limited and targeted.
There is also concern over proposals that would require industry to share information with a new centralized government clearinghouse. “As with any other partnership function, information sharing is founded upon and enabled by trust. That trust is weakened when government information-sharing mandates are imposed. Therefore, they are far less effective than a private sector-driven, well-incentivized program of collaboration,” the coalition says.
“Some of these proposals would allow the government access to private data so as to pursue some kind of cybersecurity mission, even though that information is already protected by statute,” Gregory Nojeim, senior counsel at the Center for Technology and Democracy, told the E-Commerce TImes. “Those protections should not be trumped by cybersecurity objectives.”
The coalition briefing last week drew considerable interest from congressional staffers. “We had a pretty good turnout and some good questions,” Matthew Eggers, director of national security and emergency preparedness at the U.S. Chamber of Commerce, told the E-Commerce Times.
“We’ll probably have more meetings, but I didn’t get the sense that anyone wanted to dispense with the current public-private arrangement,” he said.
Both Congress and the administration are examining options for issuing a national policy, possibly within a few months, although the timetable is uncertain. At a hearing last week, Sen. Sheldon Whitehouse, D-R.I., told Department of Homeland Security Secretary Janet Napolitano that the administration needs to move with more urgency on issuing a cybersecurity policy.