The White House’s cybersecurity plan is too focused on punishing companies that suffer attacks and does little to improve cybersecurity, said the head of an industry association representing firms that would be covered by the plan.

Internet Security Alliance president and CEO Larry Clinton argued the White House’s cybersecurity legislative proposal unveiled in May takes an antiquated approach to cybersecurity that fails to recognized how threats have evolved over the past several years.

“They are fighting the last war,” Clinton said on a yet-to-be-aired episode of C-SPAN’s “The Communicators.” “The model they are using for dealing with the private sector is largely antiquated.”

{mosads}Under the White House plan, the Department of Homeland Security would be in charge of developing cybersecurity standards in consultation with private sector firms deemed critical infrastructure. Those firms would then be forced to comply with the new security regulations or face having the results of their security audits and news of attacks publicized by the government.

Clinton said rather than encouraging firms to improve their security, the White House’s “name and shame” approach would only encourage firms to ignore sophisticated intrusions buried deep in their systems. He said firms are aware of the steps needed to prevent the vast majority of basic attacks, but in many cases the cost is prohibitive.

“This is a punitive model where we’re trying to blame the victims of the attack,” Clinton said. “I don’t think that the administration’s proposal really does anything that I can see to enhance cybersecurity.”

Clinton compared the White House’s proposal to the Sarbanes-Oxley financial reporting requirements and said the plan was the type of heavy-handed regulatory approach President Obama had promised to avoid in his landmark speech on cybersecurity in 2009.

“There’s really no doubt that they have proposed here developing a fairly extensive regulatory structure and again that is precisely the opposite of what the president himself promised when he released the cyberspace policy review back in 2009,” Clinton said. He said ISA member firms from critical sectors including banking,
aviation, and communications had virtually no input on the plan.

Clinton called for the incentives proposed by Obama during the 2009 speech such as liability protections, tax incentives and the use of the federal government’s $80 billion information technology budget to encourage firms to adopt better security practices. He also suggested streamlining federal regulations and giving the insurance industry a larger role in the cybersecurity equation.

Clinton noted in many cases the biggest threat are sophisticated, state-sponsored attacks that are persistent enough that they will eventually penetrate any system. Clinton said those attacks cannot be prevented, so the focus should be on responding quickly and preventing the theft of data.

{mosads}He said the White House’s plan would force firms to avoid detecting such intrusions lest the theft be made public and negatively impact the company’s image and stock value.

On the same program, Electronic Privacy Information Center executive director Marc Rotenberg argued the White House should add clear privacy protections to its cybersecurity plan to ensure law enforcement cannot intercept communications without judicial approval.

Rotenberg also said he would like to see clear language in the legislation that would prevent the government from using data collected for cybersecurity purposes for other activities such as tax collection or criminal investigations.