Internet Security Alliance President Larry Clinton was adamant that cost is the main barrier to firms bolstering their cybersecurity, not the absence of clear security guidelines or best practices. Clinton argued that reducing the cost of implementing security precautions would be more effective than establishing new federal regulations.
"This is not a technology issue. This is an enterprise-wide risk management issue," Clinton said, arguing the incentives currently all favor the attackers. He said cyber attacks are cheap and easy, while defending them is difficult and expensive.
“You’re dealing with the invention of gunpowder. Mandating thicker armor isn’t going to work.”
Lewis admitted the voluntary approach has worked so far in the telecom sector, but said he believes responsibility for security is going to shift away from consumers toward providers, like wireless firms. Entrust President Bill Conner disagreed, arguing responsibility is moving the other way. But he said the FCC should have some role in increasing mobile device security.
Juniper Network vice president for government affairs Robert Dix and Clinton both praised an information bill from House Intelligence Committee Chairman Mike Rogers (R-Mich.), which passed the Intel Committee in December. That bill would make it easier for firms to share information with the government about attacks, without any new security mandates.
Clinton called passing the Rogers bill along with reform of the Federal Information Security Management Act a "historic and politically achievable goal." Both measures are largely non-controversial, and likely to pass the House if they come up for a vote.
But the comprehensive cybersecurity plans offered by the Senate and White House both include some type of regulatory authority for the Department of Homeland Security over critical infrastructure providers, which has drawn resistance from industry.
Clinton argued that a different approach is needed, not "government control over what the private sector does."