Cat Out of Bag on Infosec Regulation?
President's Counterterrorism Adviser Defines Who's at Risk
Who knows how best to safeguard the nation's critical IT infrastructure: the federal government, the mostly private owners of those vital systems or both?
See Also: ISO/IEC 27001: The Cybersecurity Swiss Army Knife for Info Guardians
The Obama administration and its supporters on Capitol Hill would say both, and the Cybersecurity Act of 2012 would have established a framework to have the government and private sector collaborate to create security standards to safeguard the infrastructure. The bill, when introduced, would have allowed the government to implement those standards as regulations, but Republican lawmakers balked at that idea. So, the sponsors, with the White House blessing, rewrote the Cybersecurity Act to make adoption of the standards voluntary by business. Still, the GOP cringed, contending voluntary standards could eventually morph into regulations and balked at providing the needed votes to end a filibuster [see Senate Votes to Block Cybersecurity Act Action]. The bill is dead, and if resurrection is possible, it won't occur until after the November election.
Supporters of the Cybersecurity Act maintain the excising of any regulations from the bill was sincere, and not a ruse to sneak in regulation. But President Obama's counterterrorism adviser John Brennan didn't do backers of the bill any favor in comments he made during an Aug. 8 interview with PBS NewsHour:
"One of the things that we need to do in the executive branch is to see what we can do to do maybe put additional sort of guidelines or policies in place under executive branch authorities. I mean, if the Congress is not going to act on something like this, then the president wants to make sure that we're doing everything possible."Elsewhere in the interview, Brennan said:
"Clearly, the market has not developed ... on its own the cybersecurity requirements. Of course, if it did, then we wouldn't have these intrusions and the billions of dollars of losses that companies are now writing off."Comments like those fuel Republicans' fears that the bill's supporters, mostly Democrats, secretly plan to evolve voluntary standards into rules businesses must follow.
But Brennan makes a point many business executives and their GOP supporters reject: that without regulations, the nation's information security is at risk. Said Brennan:
"The people - American people are the ones that are going to be at risk, not just because of, you know, personal identification information that is going to be out there, but also the water we drink, you know, the electricity that we - that we depend upon, the hospitals that require that type of support, critical infrastructure - that's increasingly at risk.Brennan's comments - though not politically correct in an era of anti-regulation, at least in Congress - speak a certain truth.
Risk has always been a crucial component of organizations deciding how best to safeguard their digital assets. But risk to whom? Businesses - especially publicly traded ones - have a fiduciary responsibility to shareholders to get the best bang for their investments. When assessing the risk to their IT systems - even if those systems support critical infrastructure such as the electric grid or banking systems - corporations consider the impact on themselves and not others. They're not legally bound to do so in most instances.
But Brennan and others view the risk to all citizens of the United States, not just corporations, and that would mean more involvement by the government in developing standards to protect vital IT, whether voluntary or mandatory. This fight is far from over.
