Leadership, Cooperation Needed to Move on Cybersecurity, Say Officials

Action may be stalled until the White House appoints a czar on the issue, panelists said. Many people are “waiting to see who [the cybersecurity coordinator] will be before they're going to do anything,” said Marcus Sachs, Verizon executive director of federal relations. U.S. cybersecurity policy will likely remain in a “holding pattern” until there’s strong leadership pushing the issue forward, said Jim Lewis, director of the Center for Strategic and International Studies. The good news is President Barack Obama has said publicly that cybersecurity is a priority for his administration, but “we have to turn nice words into actions.”

Senate leadership and a number of different committee chairmen recognize that legislation is needed, said Parkinson. They've discussed how they're going to work together on the issue, she said. Parkinson declined to predict when legislation will be finished, but said her boss, Sen. Joe Lieberman, I-Conn., plans to soon put out a bill for the Homeland Security Committee. However, bills are coming from many other committees as well, and “there will need to be some meeting of the minds and some negotiating” before a unified bill is ready for the Senate floor, she said.

To minimize inter-committee fighting, Parkinson has guided her committee to focus on legislation dealing with matters within its own jurisdiction, she said. Disagreement and turf wars are probably unavoidable since there’s overlap on some issues, for example whether to establish a White House cybersecurity office, she said. However, “the powers that be believe that this is a big enough deal that you gotta crack through that,” she said. “If you have that sort of push from leadership, it’s easier to pull everything together.”

“The jury is out” on what role the FCC should play, Sachs said. The commission asked questions on cybersecurity in its rulemaking on developing a national broadband plan. The FCC isn’t a “cop and robber organization” like the FBI, so it’s unclear what the agency would do, Sachs said. Perhaps the best way the FCC can help is to focus on expanding broadband to unserved and underserved areas, he said. “Cybersecurity is a threat that rolls through that, but it’s certainly not going to be out front.”

Any successful effort must involve both the public and private sectors because it’s a “shared responsibility,” Sachs said. “You cannot expect” the government or the private sector to make the Internet secure on their own, he said. Regulators should use incentives, not regulation, to get businesses on board, he said. When the government tries to mandate one specific solution, he said, “we get security through compliance, and we always lose there because our adversaries could care less how compliant we are.”

Transparency is also key, said Parkinson. Ordinary people must be assured that the government isn’t trying to do anything “sinister” with the Internet, she said. Transparency was lacking near the end of the Bush administration, when it came out that the government was working on a comprehensive cybersecurity initiative, she said. “No one really knew what was being talked about, so everyone leapt to conclusions that the government was going to take over all private sector networks and then shut down the Internet.”

The U.S. is in “dreadful shape” on cybersecurity, Lewis said. U.S. networks are very vulnerable, and cybercriminals’ skill is nearing that of the National Security Agency, he said. Regulators may recognize the problems, but politics have held them back from taking action, he said. “We are locked into stuff that were great ideas in the 1950s -- like General Motors -- and we can’t get out of it.”