Congress is getting more serious about cybersecurity. Cybersecurity involves everything from a foreign power attacking our ability to control the national power grid, to a disgruntled employee hacking into the office computer and stealing proprietary corporate documents.
There is no national standard for cybersecurity and no national policy for defending against cyber attacks. While thousands of daily threats are identified and successfully defeated by governmental and private entities, it is time to coordinate these efforts, share appropriate information, and establish uniform reporting procedures.
This is not a job for the government to do unilaterally. It is a job for the government to help synchronize and oversee.
Legislation has been introduced in the United States Senate which will begin this process. The Cybersecurity Act of 2012 is designed to help protect us against, in the words of Sen. Jay Rockefeller (D-West Virginia), “Hackers stealing from Fortune 500 companies, breaking into government and security agencies’ networks, and towing with the networks that power our economy.”
As this bill makes its way through the legislative process, there are several principles that should be adhered to:
First, the legislation must help the private sector thwart cyber attacks, not dictate a set of one-size-fits-all regulations. To do this, they should look closely at what the major broadband providers have put in place to protect their networks and their customers’ systems and data. It should expedite sharing best practices among industry sectors as well as with all other stakeholders in the Internet ecosystem.
The legislation should facilitate information sharing by removing archaic legal barriers to the collection, use and sharing of appropriate information while establishing appropriate privacy protections especially for consumers.
The Cybersecurity Act of 2012 should avoid adding to the regulatory burden of the communications-related infrastructure. The “light hand” approach to regulating the Internet has paid enormous dividends over the past 16 years since the adoption of the Telecommunications Act of 1996, and we must take care that cybersecurity legislation is not used as a tool to force new, unnecessary regulations into a remarkably successful system.
There are a number of public-private organizations which are already in place to provide on-going advice and collaboration in this fast-changing technological environment.
The legislation must not interfere with the industry’s flexibility to implement those measures they deem suitable to secure their networks and protect their customers. Avoiding a tangle of requests, proposals, amendments and approvals is crucial to avoid choking innovation in the name of cybersecurity.
Some elements of our information infrastructure are critical. Remote sensors at power plants, the FAA’s national flight control system, and many local, state and federal security organizations fall within this designation. Care must be taken not to extend the “critical” tag too broadly to avoid the government seizing security control over an entire industry or network when it is not necessary.
As a starting point for all of this activity, the federal government should streamline and clarify its cybersecurity structure. Cybersecurity should be centralized into one coordinating agency which might also have the authority to centralize a government-wide acquisition policy to best protect the government’s networks.
The government should upgrade and expand federal civilian training and certification in cybersecurity – a policy which would give the private sector a benchmark against which to measure itself.
Finally, the government must be a leader in research and development to help design and deploy hardware, software, and policy defenses against cyber attacks both internally and from foreign entities.
We are looking to the Cybersecurity Act of 2012 to help launch a serious, ongoing discussion about how best to proceed to protect this most critical of America’s infrastructure.
John S. Graczyk, a retired Marine Corps Major specializing in satellite, telecom and cyber activity, works in the private sector in Colorado Springs.
EDITOR’S NOTE: This is an online-only column and has not been edited.
