Congress Does Better on Cybersecurity by Accident—Analyst
SAN JOSE -- Congress accomplishes more for Internet security by accident than it does directly, said a Washington think-tanker. Side effects of Gramm-Leach-Bliley, Sarbanes- Oxley and Health Improvement Portability & Accountability Act have been to focus attention on cybersecurity much better than direct legislative efforts, which apart from the Federal Information Security Management Act (FISMA) have “invariably gotten screwed up,” Technology Policy Dir. James Lewis of the Center for Strategic & International Studies said on an RSA Conference panel here late Tues.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“We've made significant progress” since the National Strategy to Secure Cyberspace came out 3 years ago, said Andy Purdy, acting dir.-National Cyber Security Div., Homeland Security Dept. That’s shown by the Cyber Storm exercise last week, he said. The exercise took account of physical as well as electronic threats, reflecting Homeland Security’s recognition of the connection, Purdy said. “It is pre- Katrina in cyberspace,” and dealing with natural disasters and physical attacks is an important part of cybersecurity, he said. Though complete results of the test of response communications by federal, state, local and important private players won’t be in till summer, unspecified steps are being taken to improve reactions, he said.
Greater collaboration is needed between govt. and business, especially in identifying risks, detecting threats, identifying the sources and recovering from attacks, Purdy said. The federal govt. has helped improve cooperation nationally and internationally and raised awareness of the importance of cybersecurity, which is particularly important in persuading corporations to cover expenses whose financial return isn’t obvious to them, he said. Purdy said he wants to uncover what additional information should be shared among govt. and industries with and without Information Sharing & Analysis Centers. Some important sectors don’t appreciate their vulnerabilities and the interdependence of networks, he said, without identifying them. And “marginally profitable groups of players” sometimes have trouble doing the spending needed, Purdy said. They need incentives as well as increased understanding of the risks, he said.
Exploiting file-sharing software to steal information from PCs is a “tremendous problem” that needs to be drummed home to users, Purdy said. In general, consumers need to have an easier time securing their systems, he said.
Cybersecurity is in better shape than 3 years ago, though threats like phishing and ID theft still have only “spot solutions,” said consultant Howard Schmidt, former White House cybersecurity adviser: “We're much stronger than we have been ever in the past.” Business recognizes it must deal with the problem, he said. Today there are commercials tackling the question, whereas in 2003, companies were reluctant to talk about it publicly, Schmidt said. He said no phishing e-mail has made it past his bulk bin to his inbox in a year. Schmidt expects an 8.6% increase in security spending this year.
Vulnerabilities are being handled better than before, Schmidt said, so recent attacks have been “less impactful… It’s been 2 years since we had a major cybersecurity incident, and it’s not just because we're dumb-lucky.” Security awareness and training efforts are growing and succeeding, he said. International cooperation has improved and the federal “agencies are getting better,” Schmidt said.
“We don’t need more regulation,” Schmidt said. Former Federation Aviation Administration (FAA) CIO Dan Mehan, too, warned against overregulation, saying compliance efforts can sap innovation. But Lewis said there probably are networked national industries like telecom and finance that should be identified to be given federal security standards.
Mehan emphasized security shortcomings more than Schmidt had. True, FISMA has helped by setting standards and letting agencies use counterparts as benchmarks, he said. The law did a service with its stress on training -- otherwise one of the first activities cut in tough budget times, Mehan said. Creation of the Homeland Security Dept. and Presidential Directives 7 and 12 also represent progress, he said. But cyberattacks have become uncountably continuous, and much faster spreading, Mehan said, and the response hasn’t improved proportionally. Making networks resilient and self- healing is crucial, and business has recognized that, he said. Mehan said he would give Washington and big business a C minus or D on cybersecurity -- though “it would have been a flat F a couple years ago.” He urged more R&D, better software and improved cooperation between govt. and business.
Congress’s refusal to give the FAA all it wanted for cybersecurity turned out to be a blessing in disguise, Mehan said: It forced the agency to lean on businesses to ensure their R&D reflected its needs, he said. In recent years, Microsoft, Cisco and others “drastically changed the way they were funding the way they were looking at cybersecurity,” Mehan said. That’s partly thanks to White House and federal agency procurement changes, policy statements and other guidance, he said: “It is clear that companies are putting substantially more into this, and that is helping us.”
Still, “the federal funding levels do need to be increased” in security research, and the govt. needs to get better at examining all agencies to find research money, Mehan said. Schmidt said that between them, govt. spending for national security and public safety and business spending to develop products leave a research gap. “You can’t get everything from the government,” he said.