OIRA@2050

Cybersecurity is a huge problem. The bad guys are winning, but just because the U.S. invented the Internet does not mean that the problem can be solved through congressional mandates on corporate systems.  Today, according to Internet World Stats, there are 257 countries and territories connected to the Internet and 2.3 billion online users.  The U.S. represents only about 11 percent of that online population.  American companies need help with cybercrime and cyber espionage, and they need to better understand how to respond in a catastrophic cyber situation, but they do not need the U.S. government inside their data centers or mandating costly security requirements that may be out-of-date or ineffective.

Instead of mandates, U.S. companies need incentives, such as those advocated by the Internet Security Alliance (ISA) and included in the Recommendations of the House Republican Cybersecurity Task Force, led by Congressman Thornberry (R-TX).  “Companies would be able to justify improvements to their security programs if there were a menu of market incentives, such as procurement mechanisms and insurance, that would help justify costs that go beyond their commercial security needs and protect larger interests, such as economic and national security,” said Larry Clinton, president of ISA.  For years, some of us in the security industry have advocated requiring public companies to indicate in their SEC filings whether their security program was tied to an internationally accepted best practice and whether key activities within their program had been undertaken and had oversight.  The concept is based on similar requirements for Y2K, could be done without revealing any corporate confidential information, and steep penalties would apply if the information was falsified.  As with Y2K, we believe non-public companies would follow suit and momentum toward focusing on security programs would quickly grow.

After years of cybersecurity bills in various forms and hearings, it is disappointing that the sponsoring senators, Lieberman, Collins, Rockefeller, and Feinstein) did not listen to such practical ideas and instead adopted a costly, regulatory approach that will increase the size of government and benefit many of the companies who testified (repeatedly).  Seven Republican senators already joined in a letter to Senate Majority and Minority Leaders Reid and McConnell, seeking delay of floor consideration of the bill so the various committees of jurisdiction could consider it.  Such a course of action is not only wise, it is necessary.  It also would allow time for businesses to sit up, pay attention, and get engaged.