Cybersecurity is a 'team sport'

The federal government possesses cybersecurity threat information and technical capabilities that private enterprises simply do not have. But what is the proper role of the government in the cyber realm? Should it provide cybersecurity for the private sector, or should the government require that the private sector secure its own networks to a particular standard? These topics are currently under great debate in both the House and Senate.

The Internet is a complex system, made up of a growing number of networks and digital devices. It would be exceedingly difficult for any one body or organization to manage and ensure the integrity (viability) of the Internet and all devices that connect to it without massive resources and sweeping authorities, including the standardization of security practices. Such standardization could restrict and slow the innovation that has sparked the global technology industry; could limit the flexibility, and thereby the value, a network provides to its owner; and, in the long run, could actually make networks more vulnerable, especially in instances of state-sponsored hacking. At a time when we’re still struggling with the impact of the economic downturn, new standards and regulations would be poorly received.  

As such, the federal government should not endeavor to provide or manage security for the nation’s networks. Instead, the government should enable strong security by sharing information on threats and risks and facilitating the exchange of best practices and security techniques. Government should provide private sector entities the information which is necessary to protect themselves. It should create an environment in which firms are encouraged to take more than minimal security steps and are rewarded for doing so. Government needs to facilitate an environment where good guys can share information and best practices as quickly and efficiently as the bad guys currently do. As a nation we are hindering advanced cybersecurity by inhibiting the sharing of timely and actionable information. Government is as much to blame by over-classifying cybersecurity threat information as the private sector is for refraining from reporting cyber incidents for fear of damage to their reputation and/or price per share.

Our legislation, H.R. 3674 the Promoting and Enhancing Cybersecurity and Information Sharing Enhancement Act of 2011 or PrECISE Act attempts to address this situation by doing three things. First it authorizes the secretary of homeland security to protect our federal networks, systems and critical infrastructure from cyber attack. It provides a clear role and responsibility for the Department of Homeland Security to operate, especially since cybersecurity is truly a “team sport” as the administration is fond of stating.
 

Additionally this legislation requires the secretary to work with the owner and operators of critical infrastructure and their sector specific agencies to identify sector specific cybersecurity risks. The secretary shall review and collect existing cybersecurity performance standards and evaluate them against identified sector specific risks. This would provide clear guidance to critical infrastructure owners on what risks they are facing as well as collecting the best standards for mitigating those identified risks.

Finally, to improve the state of information sharing in this country our bill designates a National Information Sharing Organization or NISO. The NISO will have three missions: 1) to facilitate the exchange of vital cyber threat information, best practices and technical assistance among its private sector and government members; 2) to create a common operating picture of the network enabled by its most sophisticated members, Internet service providors and the government; and 3) to facilitate cooperative research and development projects driven by the NISO members themselves. The NISO would provide a private sector centric environment for sharing information amongst the private sector and with the Government. The NISO would be structured to protect the sensitive information shared within its confines. Being a membership driven organization it would need to bring value to its membership in order to maintain its existence.

The bottom line is the threat is real and it is grave. Government should enable and facilitate the private sector to protect itself by providing needed information, guidance and best practices. Our country has the imagination and the expertise to better protect itself, we in government need to facilitate, not dictate, proper cybersecurity.

Rep. Dan Lungren (R-Calif.) is the Chairman of the Committee on House Administration, as well as the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.  He is the sponsor of the Protecting and Enhancing Cybersecurity and Information Sharing Effectiveness (PrECISE) Act.

---