Panel: Gov't can't mandate security

Incentives such as investment tax credits are thought to be more effective

WASHINGTON - Now is not the time for the U.S. government to mandate cybersecurity standards to private industry, despite significant threats and a lack of understanding by many company executives. So concluded a panel of government officials that met to discuss the issue in September.

The panel of cybersecurity-focused officials -- part of a discussion in Washington, D.C., on whether government and private industry are doing enough to protect confidential information -- agreed that cybersecurity mandates were not the right way to encourage private companies to adopt cybersecurity best practices. Instead of a so-called stick approach, the U.S. Congress could instead develop some "carrot" incentives for companies looking to upgrade their cybersecurity efforts, according to Bob Dix, staff director of the technology and information policy subcommittee of the U.S. House of Representatives Committee on Government Reform.

The subcommittee is considering several incentives for cybersecurity efforts, including an investment tax credit and a limit on liability for companies adopting cybersecurity best practices, Dix said. A liability limit could include an exemption from U.S. Federal Trade Commission (FTC) actions taken against companies that adopt best practices but still experience a security compromise -- such as hacker intrusion -- that results in the release of consumer data, Dix added.

In late 2003, the subcommittee considered legislation that would have required companies to fill out a cybersecurity checklist in their filings with the U.S. Securities and Exchange Commission. Even though Dix and Chrisan Herrod, the SEC's chief security officer, expressed concern over the state of cybersecurity in the United States, they stopped short of advocating government-defined standards.

Instead, says Dix, best practices should be defined by private industry.

However, a big part of the problem is there's not general agreement on which cybersecurity best practices should become standards, Herrod said at the panel. In terms of government mandates, "we're not there yet," she said, adding that the likelihood of getting any such mandates are currently slim. "I don't think it's possible to mandate something when you don't have agreement on what that something is."

By neglecting to come up with best practices, the government is not simply shirking its responsibility; one industry may require different standards than another industry, and a small business may have different cybersecurity requirements than a large business, noted Laura DeMartino, legal adviser for Orson Swindle, the commissioner of the FTC. "A broad (government) mandate may not be needed for a company that does not maintain sensitive consumer information," she added.

Still, panelists say, many business executives don't give cybersecurity the attention it deserves. Many CEOs still don't see cybersecurity as an important corporate governance issue, Herrod said. "We would love to see information assurance and information security standards as part of corporate governance, but not in the context of mandating them -- in the context of every company following the best practices they can possibly put in place," she said.

In an interview, the FTC's DeMartino says that despite the lack of broad government mandates, there are information security guidelines that CIOs may find useful. The Gramm-Leach Bliley Safeguards Rule, which specifically targets how financial institutions protect consumer data, includes safeguards for information security that CIOs from any industry would do well to follow, DeMartino says. Among them: Devise a written plan that details how to protect consumer data; conduct a thorough risk assessment that identifies internal and external vulnerabilities; and design -- and test periodically -- a plan to control those risks.