As corporate America tries to work more closely with the federal government to improve network security, a primary goal among CEOs is avoiding new federal regulations.
However, executives who are directly responsible for network security do not necessarily share that goal. CIOs and chief security officers across the country are quietly advocating regulation to spur their bosses into acting more effectively on network security, according to Tom Noonan, president and CEO of Internet Security Systems Inc.
There is a widespread feeling among executives accountable for IT that security is not receiving the attention it deserves from the helm, Noonan told top corporate executives gathered for a teleconference of the National Infrastructure Advisory Council Tuesday.
“Ive wanted to head for the hills every time I hear it,” Noonan said.
Noonans disclosure was met with resistance by members of the NIAC, many of which already face considerable regulation.
“Another layer of regulation [in the pharmaceutical industry] would probably just make it more complicated to get things done,” said Karen Katen, president of Pfizer Global Pharmaceuticals and executive vice president of Pfizer Inc.
The financial services industry is particularly eager to discourage Washington from adding any new mandates to its lengthy roster of federal rules. Alfred Berkeley, vice chairman of NASDAQ Stockmarket Inc., and Martin McGuinn, chairman and CEO of Mellon Financial Corp., voiced opposition to any further direct federal regulation.
Nonetheless, the NIAC will take a closer look at the potential need for regulatory guidance, particularly within sectors that are not necessarily motivated by profit to enhance security, such as the water and electricity industries, said Richard Davidson, NIAC chairman and president and CEO of Union Pacific Corp.
“In some unusual situations, it might take regulation to make this happen,” Davidson said.
The NIAC, made up of chief executives from companies hosting critical infrastructure, is now administered by the . Robert Liscouski, who was appointed assistant secretary of Homeland Security for Infrastructure Protection in late March, sat in on Tuesdays meeting.
Addressing a concern expressed lately by prominent IT experts, including Richard Clarke, former cyber-security adviser to the president, Liscouski said that the Information Assurance and Infrastructure Protection division of the new department “places an especially high priority on protecting our cyber infrastructure.”
The NIAC is also looking at the thorny issue of network vulnerability disclosure. Council members opinions on the topic range from full disclosure to limited disclosure, but there is a consensus that guidelines are needed for handling vulnerabilities, said John Chambers, NIAC vice chairman and president and CEO of Cisco Systems Inc.
“Lacking existing guidelines, people invent solutions,” Chambers said, adding that ad hoc solutions can create new problems. A task force set up by the council will complete a study on the matter by the end of June, Chambers said, and the initial assessment is that disclosure can cause more risks than it eliminates.
Most Recent Security Stories: