Security Experts Critique Administration’s Cyber Proposal
Cybersecurity experts took aim at the president’s cybersecurity plan and asked lawmakers at a House Homeland Cybersecurity Subcommittee hearing Friday to deviate from several of its key provisions. Witnesses were specifically critical of the proposal’s data breach reporting requirements and what they called overly broad regulatory power it gives to the Department of Homeland Security. Cybersecurity legislation should instead update existing laws, boost penalties, and create new incentives to encourage private sector adoption of best practices, they told lawmakers.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Despite many of the good proposals in the President’s cybersecurity plan, some suggestions could actually do more harm to the nation’s cybersecurity, said co-chair of the Congressional High Tech Caucus, Rep. Michael McCaul, R-Texas. He called out the administration’s “name and shame” remedy for companies that fail to pass federal cybersecurity requirements. Such a proposal would only publicize the nation’s cybersecurity gaps and leave companies more vulnerable to attacks, said McCaul. “I don’t think that is good public policy, it invites more mischief.”
The administration’s mandatory data breach disclosure guidelines could push companies to ignore cyberthreats rather than pay closer attention to them, said Larry Clinton, president of the Internet Security Alliance. “We've created exactly the wrong incentives,” said Clinton: “It creates an incentive not to know, so that there is no obligation to report.” Instead the government should confine data breach reporting requirements to attacks which create actual losses and then publish regular cyberthreat reports akin to the Center for Disease Control’s national disease reports, he said.
Lawmakers should also encourage companies to adopt cybersecurity insurance policies in order to motivate them to enhance their defensive posture, Clinton said. “We have not done enough to bring the insurance agencies into the cybersecurity arena,” said Clinton. “It would be far more preferable for Congress to create a system with market incentives to alter the balance of security investment.”
The administration’s proposal to give enhanced regulatory powers to the Department of Homeland Security could have the negative effect of “diluting its operational responsibilities,” said Melissa Hathaway, the former senior cyberspace director for the National Security and Homeland Security councils at the White House and current president of Hathaway Global Strategies. “An overly restrictive approach should be avoided, yet, we cannot afford to pass legislation that would prove to be feckless.” She stressed the need for stiffer penalties for cybercriminals, and updates to several laws including the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Federal Information Security Management Act among others.
Rep. Lara Richardson, D-Calif., agreed that Congress needs to implement stronger penalties for cybercrime in order to disincentivize bad actors. “Many cyber attackers continue attacking networks because there is a low risk of being caught,” she said.
One of the better cybersecurity proposals offered by the administration is the provision of safe harbor protections following an attack or data breach, said Greg Shannon, chief scientist for the Computer Emergency Readiness Team at Carnegie Mellon University. It’s important that legislation support the ability to “respond quickly and maintain the velocity of the investigation and the collection of evidence,” he said.