With the Senate failing to advance the Cybersecurity Act of 2012 (S.3414) to a full vote earlier this month, we must take this opportunity to engage in an honest dialogue about the risks that exist to our nation’s critical and cyber infrastructure.
In order to do so, we must first put to rest some of the fallacies that remain from S.3414’s failure to advance in the Senate — particularly the claim that industry is directly responsible for the defeat of the most recent iteration of Sens. Joe Lieberman (I-Conn.) and Susan Collins’s (R-Maine) legislative proposal. Industry is every bit as committed to the protection, preparedness and resilience of critical infrastructure as anyone in government, and history tells us that when government and the private sector work together, we can achieve remarkable results.
Some have stated that Lieberman and Collins changed their bill from a mandatory system to a voluntary one. However, it is clear that the liability provisions, as written, would force a compliance regime. It forces companies to seek certification instead of making the security improvements they believe are necessary for their systems. Moreover, the certification standards would be written by the government, instead of being industry best practices. The bill would establish a council that would receive industry input, but there is a possibility the government could disregard industry recommendations in favor of its own proposals.
Lieberman and Collins have stated correctly that the critical infrastructure of both the private sector and government are under constant cyber-attack from foreign nations, criminals, hacktivists and terrorist organizations. That is why industry has attempted to work closely with Congress to address these challenges in a collaborative manner. In fact, there are several elements of the Lieberman-Collins bill that the private sector embraces, including enhanced criminal penalties for cybercrimes, updating federal information security requirements, increased investment in research and development, and new authorities for training and recruitment.
Where there is significant disagreement is over the proposed authority granted to government to tell industry how to manage risk and impose a new regulatory and compliance regime. Regulation and compliance mandates alone do not produce improvements in cybersecurity and might, in fact, have the consequence of making us less secure. Instead, government should work with industry to promote the continued investment in research and development that produces innovation and delivers meaningful and measurable solutions to the market.
One way to ensure cooperation and share responsibility is to build a joint, integrated, public-private operational capability to improve detection, prevention, mitigation and response to cyber-events that may become incidents of national — or global consequence. Given that much of the current legal framework was developed when we lived in a largely analog world, this must go hand in hand with updating that legal framework to address impediments to information sharing between government and industry while ensuring protection of privacy and civil liberties.Developing a comprehensive campaign of national education and awareness to raise the bar of “cyberhygiene” for all user constituencies is also necessary. We must also work closely with institutions such as the National Institute of Standards and Technology, national labs, universities, and government and industry experts to examine technical issues, economics impediments and operational challenges.
The knowledge base that will move the needle forward for enhanced cybersecurity and critical infrastructure protection has already been established for many of these issues. Let’s come together, sort out our differences and get to work.
Authored by: Robert B. Dix, Jr. is vice president of Government Affairs and Critical Infrastructure Protection for Juniper Networks. Reprinted from Politico.com August 21, 2012