Legislation that would authorize the U.S. Department of Homeland Security to create emergency preparedness standards for private industry takes the wrong approach toward cybersecurity, some experts said Tuesday.
Sections of the Improving America's Security Act, which passed the U.S. Senate March 13, and the Implementing the 9/11 Commission Recommendations Act, which passed the House of Representatives Jan. 9, would authorize the DHS to create voluntary cybersecurity and other preparedness standards. The Senate version would also authorize the DHS to create certification and accreditation programs associated with the standards.
One audience member at an event hosted by the Center for Strategic and International Studies suggested the standards would be less than voluntary. Companies that don't institute the DHS standards could be sued for negligence after something goes wrong, he said.
Larry Clinton, president of the Internet Security Alliance, agreed. "Once [the standards] are washed through the DHS, it's a different standard than I would understand as voluntary," he said.
Members of several industries, including IT, trucking, and hospitality, raised concerns at the CSIS event focusing on the legislation from a cybersecurity perspective. Although the legislation requires the DHS to seek the input of private industry groups while developing the emergency preparedness standards, it gives DHS Secretary Michael Chertoff broad power to create the standards, said Michael Hickey, vice president of government affairs for national security policy at Verizon.
Hickey and other participants also raised concerns that the legislation would ignore emergency preparedness plans that private sector groups have already developed. But Mary Beth Schultz, counsel for the Senate Committee on Homeland Security and Government Affairs, said the Senate version of the legislation would not preempt standards already created.
"We are not in any way trying to get rid of best practices" already in place, Schultz said.
The DHS and private companies seem to have different goals, added Randal Mullett, vice president of government relations for trucking company Con-way. While companies know they have to manage risk, the DHS seems to want companies to eliminate all risk, he said. In addition, tech vendors try to sell companies more security than they think they need, he said.
"Technology providers and security professionals are driving this train and telling people in business what they need," Mullett said. "The assumption that everybody in business is just not doing what they should be doing to protect our companies ... is kind of a crazy place to start this conversation."
Clinton, from the Internet Security Alliance, seemed to disagree, saying a lot of companies do not take cybersecurity seriously enough. But he called for cybersecurity incentives instead of government mandates, such improved cybersecurity insurance, awards programs, and caps on legal liability for companies that adopt cybersecurity best practices. His group, a coalition of IT vendors and customers, called for new market-based approaches for cybersecurity in a white paper released earlier this month.
"If the government sets the standard, it pretty much stays there," Clinton said. "What we need, frankly, are far more dynamic motivators to get corporations to continue to upgrade their systems."