Cyber security experts on Wednesday warned members of a House subcommittee against racing to legislation that would establish an overly burdensome regulatory framework for safeguarding digital systems against attacks, instead urging a more limited approach that would clear away legal impediments such as the prohibitions against sharing critical threat information.
Most, though not all, of the witnesses testified in favor of a strictly limited federal approach to cyber security, one that would be light on regulation while focusing on incentives and coordination across the private sector and with government agencies.
Several panelists and some lawmakers expressed the concern that prescriptive regulation in such a rapidly evolving sector as cyber security would threaten to hobble the development of new defense mechanisms as companies grapple with an additional set of compliance requirements.
"Traditional approaches, including federal regulation, will not solve the problem because they're going to be largely reactive and will not stay ahead of the changing threat nature," Larry Clinton, president and CEO of the Internet Security Alliance, told members of the House Energy and Commerce Committee's communications and technology subcommittee.
"Worse, to add regulation would be counterproductive, leading companies to expend their limited resources on building in-house efforts to meet regulatory demands rather than focusing on security," Clinton added.
Debate looms as Senate wraps up bill
The House hearing comes as the latest step in the run-up to what could become a major debate in Washington, as members of the Senate put the finishing touches on what is expected to be a comprehensive overhaul of the policy framework for the nation's cyber defenses. That bill would likely vest the Department of Homeland Security with limited regulatory oversight of critical infrastructure operators, among other provisions. Majority Leader Harry Reid has signaled his intention to put the legislation on the fast track for a floor debate in the Senate.
The lone advocate of a comprehensive approach at Wednesday's hearing was James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.
"The central problem for the U.S. will be redefining the role of government," Lewis said in his written testimony. "There are clearly areas where the government should not interfere. At the same time, cyber security is a national security problem that requires more government involvement, not less."
The House takes a different approach
In contrast with the Senate, the House is taking a more piecemeal approach, with various small-scale bills working their way through the committees of jurisdiction. One piece of legislation that emerged from the Intelligence Committee drew praise from some of the witnesses for its narrow focus on clearing away the legal obstacles to sharing information about threats.