Should Companies Be Required to Meet Certain Minimum Cybersecurity Protections?

May 13

From: Wall Street Journal

Cybersecurity specialists tackle the question of whether the government should set standards for protection of corporate computer networks.

By Siobhan Gorman

U.S. companies appear to have lots of not-so-secret secrets.

Intelligence reports, for instance, say China and Russia have been pilfering vast quantities of secrets from U.S. companies, while U.S. officials say Iranian-backed hackers have mounted a relentless campaign against U.S. banks.

President Barack Obama in February signed an executive order to establish programs for voluntary computer-security standards and data sharing between the government and U.S. companies about cyberthreats. On Capitol Hill, Congress remains tied in knots on cybersecurity, with Democrats and Republicans sharply divided over whether the government should play a significant role in protecting U.S. computer networks.

We asked a panel of cybersecurity specialists to tackle the question: Should companies be required to meet certain minimum cybersecurity protections?

Christopher Finan, a former White House cybersecurity aide; Liz Gasster, vice president at the Business Roundtable; and Michelle Richardson, legislative counsel with the American Civil Liberties Union, debated the question.

Here are edited excerpts of their conversation.

MR. FINAN: The rationale is simple: to protect the nation from attack. Private-sector companies operate most of the nation’s critical infrastructure, and many aren’t investing enough in computer security protections. A determined adversary could harm Americans by attacking and disrupting the critical computer control systems like those that supply power and clean water to our communities.

The administration has done all it can under current law to address these risks, so until Congress acts, the government basically has to ask companies nicely to take basic steps to protect Americans. So far a lot of corporate operators have simply refused to act, accepting the risks that we all then are forced to share. Our adversaries know this is a strategic weakness, and you can bet they will take advantage of it the next time we’re in a tense situation overseas.

MS. GASSTER: I wholeheartedly agree that better cybersecurity protection is essential, but I respectfully disagree that companies have refused to act. With so much at stake, companies are fully motivated to protect against cybersecurity threats and do so every day. What the private sector needs is access to information about potential threats that only government can provide.

MS. RICHARDSON: Many government and private-sector programs have no effect on privacy or civil liberties, and we encourage the administration, Congress and companies to focus on those. Things like creating basic standards, securing the supply chain, creating a cyber-knowledgeable workforce and educating the public on computer hygiene [updating security software] are all part of the solution.

To hear Congress talk about it, the end-all be-all of cybersecurity is revoking current privacy laws so that companies can share sensitive information with each other and the government. The effect on privacy comes down to what information will be shared, with whom, and what can be done with it after it’s shared. It’s disappointing that the House is pushing an incredibly broad bill that allows all sorts of personal information to be shared in a completely unaccountable fashion, even with military agencies like the National Security Agency.

MS. GASSTER: We believe government should establish a framework—both technical and legal—for government to share cybersecurity-threat information with industry. Once frameworks are in place, government and industry should work together toward developing threat-informed risk-management capabilities that can keep pace with cybersecurity threats. When considering the role of standards and best practices, policy makers should contemplate the ever-evolving characteristics of cybersecurity threats and work toward structures that are voluntary, agile and flexible. We believe the executive-order process will provide an opportunity for lessons learned in the standards area, and therefore recommend that Congress consider the results of implementation before acting on standards.

MR. FINAN: I agree with Liz Gasster’s point about threat-informed risk-management capabilities, and actually that’s exactly the type of critical-infrastructure protection framework I believe Congress should enact right away to begin to build on the work of the executive order.

Many companies are effectively mitigating cyber risks, particularly in the financial sector; however, all are not. One of the difficulties of cybersecurity is that many systems are connected and rely on each other. Vulnerabilities left unaddressed are cyber risks shared by all in this system.

The critical-infrastructure companies that already have effective risk-management frameworks in place should not have to do more. It would be irresponsible, though, for Congress to simply wait and hope for the cyberholes in the nation’s critical infrastructure to be plugged. Hope is not an acceptable risk-management strategy when American lives are on the line.

MR. FINAN: Strong cybersecurity practices just make good business sense at a time when intellectual property and trade secrets are increasingly being targeted for theft. Moreover, officers of publicly held companies have an obligation to their shareholders to disclose material information regarding cybersecurity risks and incidents. Operators of critical infrastructure systems that people rely on for life-sustaining services have the added responsibility of ensuring their systems are at least protected with industry-consensus best practices. Select nation-states as well as nonstate actors with the intent to harm Americans are becoming capable of doing so by using widely available cyberattack tools to disrupt poorly protected systems.

MS. RICHARDSON: Whether companies should be responsible for removing personally identifiable information before sharing cyberthreat information is shaping up to be one of the biggest fights in the legislative realm. Putting the onus on companies to do this is one of the most important privacy protections that need to be included in any legislation. We’ve endorsed a proposal that would require that companies make a reasonable effort to remove it before sharing less-sensitive data.

Representatives from the financial and energy sector testified that companies are capable of protecting personal information and that it is rarely going to even be necessary to address a cyberthreat. Ultimately, the personal information contained in Internet records is some of the most sensitive out there. It can reflect the political organizations we belong to, what we read, where we go, what we worship and study—and absolutely needs to be protected. It should never be at the whims of the companies who hold this information whether to share it or not.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *