Bumper crop: Cyber security legislation
Bumper crop: Cyber security legislation
Larry Clinton, CEO of the Internet Security Alliance, says he is encouraged that legislators recognize that cyber security is an economic issue, not just a technical concern.

Clinton, who supports the House bill, recommends that legislation be passed that includes incentives for a company to employ improved security practices. “It's in their economic self interest to be more profitable,” he says.

He likens the potential fiscal perks for strong security to that of the early 20th century, when government regulations made it economically beneficial for the electric and telephone companies to expand their services for universal access by guaranteeing a rate of return for the investments. This approach could work for cyber security as well, he says.

However, not all are pleased by the proposed legislation. “The Cyber Intelligence Sharing and Protection Act would create a cyber security exception to all privacy laws and allow companies to share the private and personal data they hold on their American customers with the government for cyber security purposes,” a statement from the American Civil Liberties Union (ACLU) says. The bill, the group points out, would not limit the companies to sharing only technical, non-personal data.

The Electronic Frontier Foundation (EFF) also voiced concern about the use of data collected by the federal government. “[H.R. 3523] doesn't limit what the federal government can do with the data or private communications that ISPs and others hand over, except to say that it can't be used for regulatory purposes – apparently it can be used for law enforcement and intelligence targeting purposes.”

A competing bill, backed by Rep. Dan Lungren, R-Calif., and still in draft form, appears to appease some House Democrats as it would create a nonprofit entity called the National Information Sharing Organization, which would include members from federal agencies, corporations and civil liberties groups. The bill has received a more favorable response from some because it doesn't assign a specific role for DHS.

Still, as organizations such as the ACLU and EFF express concern about the swapping of data among companies and the government, a presidential directive authorizing such sharing has been in place since 2003. President George W. Bush signed Homeland Security Presidential Directive-7, a direct response to the events of Sept. 11, 2001, as a way to gather information about potential future attacks. The act directs the secretary of the DHS “to maintain an organization to serve as a focal point for the security of cyber space. The organization will facilitate interaction and collaboration between and among federal departments and agencies, state and local governments, the private sector, academia and international organizations.”

Specifically, the directive says federal agencies “…will collaborate with appropriate private sector entities and continue to encourage the development of information sharing and analysis mechanisms…to facilitate sharing of information about physical and cyber threats, vulnerabilities, incidents, potential protective measures, and best practices.”

While the directive does not address the issue of privacy, companies in various vertical industries have created groups to share anonymized data about breaches so that they can better defend against them in the future. These groups, called information sharing and analysis centers (ISAC), were developed as a result of the presidential directive.

The current crop of proposed legislation goes beyond this presidential directive, however, and could codify into law changes to existing privacy laws.

ISA's Clinton says the government is more accustomed to defending against an attack from a single entity. Cyber security is more akin to a terror attack where the enemy is harder to identify and might not be a single entity. Today's regulations favor the attackers, he says. Attacks are inexpensive to conduct and quite profitable. It is easy to obtain malware scripts. The tools for the attacks can be used multiple times. “The business model is great,” he says.

By changing the economic playing field through legislation and financial incentives for industry, Clinton adds, the government can make it more profitable to companies to build inherently more secure networks than having them count in the expense of remediating a problem as a cost of doing business.

“If you make it about corporate responsibility, it's unsustainable,” he says. “You need to alter the economics so it's in [the enterprises'] economic self-interest to be more secure.”


Photo: Rep. Mike Rogers, R-Mich., left, and moderator David Gregory, appear on “Meet the Press” in Washington, D.C.