The U.S. government needs to create new regulations and incentives to get private companies to protect important cyber infrastructure, including the electricity grid, water facilities, and financial systems, said the new chairwoman of a U.S. House of Representatives cybersecurity subcommittee.
Rep. Yvette Clarke, a New York Democrat, also called for a new national cybersecurity strategy during a Tuesday hearing of the House Homeland Security Committee's cybersecurity subcommittee. A 2002 strategy from former President George Bush had no teeth to mandate that private companies take actions to protect cybersecurity, she said.
[ InfoWorld suggests 10 agenda items for the first U.S. CIO, as well as a high-tech agenda for President Obama | Your source for the latest in government IT news and issues: Subscribe to InfoWorld's Government IT newsletter. ]
"Unfortunately, that strategy stopped short of mandating security changes," Clarke said. "While the previous administration relied on a voluntary protection system throughout many of the 18 critical infrastructure sectors, I believe administration should seek to use a combination of regulations and incentives to ensure that ... key infrastructures are properly secured."
Clarke didn't offer details of what regulations should be created, but she suggested that current policies have largely been ineffective.
"We find ourselves in an extremely dangerous situation today: Too many vulnerabilities exist on too many critical networks, which are exposed to too many skilled attackers who can inflict too many damages to our systems," she said. "The previous two decades have seen countless reports from America's thought leaders in cybersecurity, containing hundreds of recommendations about how to improve America's posture in cyberspace. What has been lacking is the courage and leadership to actually implement these recommendations."
A panel of cybersecurity experts offered more recommendations Tuesday, but Clarke found support for regulations from Scott Charney, vice president of trustworthy computing at Microsoft. Limited, "appropriately tailored legislation" may be necessary to get private companies to take the steps necessary to protect U.S. cybersecurity.
U.S. markets "will not pay for the level of security likely necessary to protect national security," Charney said.
Government can create regulations based on industry best practices, while not over-regulating, he said.
While some witnesses and lawmakers were critical of the U.S. Department of Homeland Security's cybersecurity efforts, handing the effort over to the U.S. intelligence community isn't the answer, either, added Amit Yoran, CEO of cybersecurity vendor NetWitness and former director of the DHS National Cyber Security Division.
"There is great peril if this effort is dominated by the intelligence community," Yoran said. "There is a clear and distinct conflict of interest between intelligence objectives and those of system operators."