Security experts ask House for light a regulatory touch

Cybersecurity experts on Wednesday warned members of a House subcommittee against racing to legislation that would establish an overly burdensome regulatory framework for safeguarding digital systems against attacks, instead urging a more limited approach that would clear away legal impediments such as the prohibitions against sharing critical threat information.

Most, though not all, of the witnesses testified in favor of a strictly limited federal approach to cybersecurity, one that would be light on regulation while focusing on incentives and coordination across the private sector and with government agencies.

Several panelists and some lawmakers expressed the concern that prescriptive regulation in such a rapidly evolving sector as cybersecurity would threaten to hobble the development of new defense mechanisms as companies grapple with an additional set of compliance requirements.

"Traditional approaches, including federal regulation, will not solve the problem because they're going to be largely reactive and will not stay ahead of the changing threat nature," Larry Clinton, president and CEO of the Internet Security Alliance, told members of the House Energy and Commerce Committee's communications and technology subcommittee.

"Worse, to add regulation would be counterproductive, leading companies to expend their limited resources on building in-house efforts to meet regulatory demands rather than focusing on security," Clinton added.

Debate Looms as Senate Wraps Up Bill

The House hearing comes as the latest step in the run-up to what could become a major debate in Washington, as members of the Senate put the finishing touches on what is expected to be a comprehensive overhaul of the policy framework for the nation's cyber defenses. That bill would likely vest the Department of Homeland Security with limited regulatory oversight of critical infrastructure operators, among other provisions. Majority Leader Harry Reid has signaled his intention to put the legislation on the fast track for a floor debate in the Senate.

The lone advocate of a comprehensive approach at Wednesday's hearing was James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.

"The central problem for the U.S. will be redefining the role of government," Lewis said in his written testimony. "There are clearly areas where the government should not interfere. At the same time, cybersecurity is a national security problem that requires more government involvement, not less."

The House Takes a Different Approach>/h3>

In contrast with the Senate, the House is taking a more piecemeal approach, with various small-scale bills working their way through the committees of jurisdiction. One piece of legislation that emerged from the Intelligence Committee drew praise from some of the witnesses for its narrow focus on clearing away the legal obstacles to sharing information about threats.

The Cyber Intelligence Sharing and Protection Act would remove antitrust restrictions to allow private companies to coordinate their defense strategies. Additionally, the bill would authorize government intelligence authorities to share information about critical threats with certain industry stakeholders who had obtained appropriate security clearances, a provision that would seek to rectify the imbalance in the flow of information between the public and private sectors that many business leaders have identified.

"I'm tired of it being a one-way street to intelligence with nothing in return," said Bill Conner, president and CEO of security software vendor Entrust.

The intelligence sharing bill would also include provisions to create incentives for private firms to improve their cybersecurity posture without imposing new regulations. Companies that could demonstrate their good-faith participation in information-sharing programs and the implementation of certain security measures would enjoy a shield from legal liability in the event of a successful attack.

Those types of steps could go a long way toward bringing cybersecurity into alignment with a private business's commercial interests, a disconnect that continues to result in many firms taking a lax approach toward security, according to Robert Dix, vice president of government affairs and critical infrastructure protection with networking-equipment provider Juniper Networks.

"If we focus only on technology and technology development, we are likely to miss the opportunity to examine the challenges and impediments to technology and solution adoption," said Dix, an opponent of any broad legislative mandate that would implement new regulations. "The market is delivering innovation at an unprecedented pace in history. However, the evidence would suggest that adoption of available solutions has not kept pace."

For Lewis of CSIS, incentives are an integral part of the solution that could take the form of tax breaks or subsidies for private-sector firms to bolster their defenses, but regulation, in certain cases, will be a necessary policy lever.

"There's straightforward evidence that what we're doing now isn't working," he told the panel.

Lewis was quick to note that the heightened regulation he envisions would not a one-size-fits-all prescription, and that industries such as telecommunications providers, which he credited with having done a good job of protecting themselves. Other sectors, meanwhile, are in "bad shape," he said, a threat that looms large over all the interrelated sectors of the economy. "An unregulated internet is not a substitute for a friendly business environment," he said.

"This is a place where we don't want the government creating the technology," Lewis added, "but you [might] want it coordinating a response." Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for

Read more about government in CIO's Government Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

More about BillEntrustInternet Security AllianceJuniperJuniperLeaderLeaderTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place