In one of the several congressional hearings on cyber-security, lawmakers discussed data breach notification laws and how to protect critical infrastructure.
experts and public officials testified at a congressional subcommittee hearing
about the role the federal government should play in defending cyberspace and
protecting critical infrastructure from attackers.
are more kinds of malware and online threats, and cyber-criminals are becoming
more sophisticated, industry experts told congressional lawmakers at the May 25
hearing by the House Oversight and Government Reform Committee's National
Security, Homeland Defense and Foreign Operations Subcommittee. While
cyber-security should be a high priority for the government, the industry
should be responsible for securing itself.
is an ever-evolving threat, and there is no single solution to prevent
attacks," Dean Turner, director of Symantec's Global Intelligence Network,
testified at the hearing. "Bad actors are getting smarter and more resourceful
every day, and we must continue to be vigilant to protect our economy, our
national security and our way of life."
individuals and organizations have a "wide variety of motivations and intended
consequences," and can include hackers, cyber-criminals, cyber-spies and
hacktivists, according to Turner.
was no need for government-imposed regulation on cyber-security, according to
Phillip Bond, CEO and president of industry organization TechAmerica. The first
rule is that "Congress should do no harm," Bond said at the hearing. Instead of
coming out with a list of rules, Congress should focus on a system of
incentives and liability protections for companies.
House cyber-security proposal
currently suggests publicly disclosing the
security level of companies that operate critical infrastructure, such as smart
grids, telecommunications infrastructure and gas lines. Several lawmakers have
criticized this approach as "name and shame," and argued that the information
would provide cyber-criminals with a list of vulnerable infrastructure to
target. An incentive program would go further in encouraging companies to
improve their security, Bond said.
makes sense to allow the private sector to take the lead in protecting
infrastructure, considering that the private sector operates more than 75
percent of what is considered cyberspace, Philip Reitlinger, deputy
undersecretary of the National Protection and Programs Directorate at the
Department of Homeland Security, said at a different hearing.
officials appeared fine with their current role in securing critical
infrastructure. The federal government should be a facilitator working with the
private sector, according to Sean McGurk, director of the control systems
security program in the Department of Homeland Security's National Cyber
Security Division. DHS performs voluntary security assessments for companies
that request them, McGurk told the subcommittee.
DHS needs more authority over critical infrastructure and be able to "mandate"
risk-based performance, according to James Lewis, director of the technology
and public policy program at the Center for Strategic and International
while encouraging the government to take a hands-off approach to
cyber-security, the industry would welcome new regulations addressing data
breach reporting, according to Bond. Currently, organizations have to deal with
a patchwork of 47 state laws with differing requirements and language for
notifying consumers when sensitive personal information has been stolen or
exposed. The White House cyber-security proposal calls for a federal
data breach notification law
to override the state laws.
also noted that the term "attack" is too broad and not helpful when discussing
cyber-security. "We tend to call everything bad that happens in cyberspace an
attack," Lewis said. If there is no damage, death or destruction, it should not
be called an attack, but rather "crime or espionage," according to Lewis. Under
his definition, there are only three cyber-incidents that qualify as an attack-Stuxnet,
the blackout in Brazil and the inference with air defenses by the Israelis in a
raid on a Syrian nuclear facility.
have "no boundaries" when it comes to victims, Turner said. Corporate
enterprises are often targeted to steal customer data and intellectual property,
and small businesses are vulnerable to having money stolen out of bank
accounts. The malicious activities impact end users as they have to deal with
identity theft and credit card scams. Governments are victims of
"cyber-sabotage, cyber-espionage and hacktivism," Turner said.
said the DHS does not distinguish between attacks from nation states and those
conducted by criminals and other organizations. The focus should be on
identifying and mitigating risk, McGurk said. Identifying the responsible
parties is difficult and unnecessary. "The source isn't important," McGurk
been several congressional hearings on cyber-security this week. The Senate
Homeland Security Committee discussed the White House cyber-security proposal
on May 23. The House Judiciary Subcommittee on Intellectual Property,
Competition and the Internet also discussed the proposal on May 25.
full House Oversight and Government Reform Committee will hold a hearing June 1
to discuss the full cyber-security proposal from the White House.