Cyber-Regulation Debate Heats UpHouse Hearing a Forum for Opposing Views
Congress is highly unlikely to enact new laws to require industry - especially privately-owned critical infrastructure operators - to adhere to cybersecurity regulations. But that hasn't stopped a fierce debate among lawmakers and security experts on the value of such rules.
See Also: The 5 Foundational DevOps Practices
The forum for the latest verbal battle over whether the government should impose cybersecurity standards on industry was a May 21 hearing of the House Energy and Commerce Committee, where witnesses testified about the Obama administration's proposed cybersecurity framework to develop IT security best practices that critical infrastructure owners could voluntarily adopt.
Commerce Department Undersecretary Patrick Gallagher, the director of the National Institute of Standards and Technology, the key witness in the 2Â½-hour long proceedings, was careful in his statements not to take sides in the debate over whether the government should require industry to subscribe to specific best practices.
NIST is leading a government initiative with the private sector to jointly develop IT security best practices that Gallagher contends would be voluntary. But when questioned by one lawmaker whether he could envision government acting to require specific practices if industry failed to take adequate protections, Gallagher responded, "Yes."
NIST Lacks Power to Regulate
Still, Gallagher repeatedly assured opponents of regulations that the cybersecurity framework being drafted under NIST guidance won't become regulation. First off, he said, NIST has no authority to compel industry to adopt these standards. "I can assure you that's my intent," he said. "And, the way we're trying to make sure that intent follows through is giving the pens to develop the framework to industry and then supporting that effort. It's really essential that this be their work product - that this reflects current best practices from across these sectors that identify cross-cutting issues because it's going to be a superior product."
Gallagher also tried to rebuff the notion that voluntary standards equate weakness. "People are equating voluntary with weak, and that's not necessarily the case," the NIST director said. "Most product safety standards in the United States are fully managed by industry. Industry is quite capable of putting in quite muscular conformity assessment tools to assure themselves that they are complying with their own standards and protocols. If that's done, it addresses the performance. If what they do is protective to the critical infrastructure, I think that's the best thing they can do to maintain this as a voluntary industry-wide process."
A Voluntary Approach?
Most other witnesses testifying said they believe it's the Obama administration's intent not to require industry to adopt the cybersecurity framework. Typical was the response of Robert Mayer, a vice president of the United States Telecom Association, who said he's confident that NIST intends to make the framework voluntary. "The caution is around what happens after the framework is developed when it moves toward sector-specific activities," Mayer said. "It can morph into something that takes on a different quality, and that would be problematic. But from every indication in talking with all of the key federal entities right now, we're quite sanguine that it's going to be a voluntary process."
Republicans on the panel - led by Committee Vice Chair Marsha Blackman, the Tennessee Republican who chaired the hearing - re-emphasized their conviction that government-enforced cybersecurity regulations would stifle innovation and wouldn't provide IT security. They contended that regulations wouldn't be flexible enough to react to rapidly evolving threats and technologies.
Several Democrats on the committee, however, complained that some industries - the electric grid was specifically mentioned by the committee's ranking Democrat, Rep. Henry Waxman of California - have been tardy and haphazard in implementing their voluntary IT security standards. Thus, mandatory standards are needed, they contended.
3,500 Generals Going Off In Different Directions
Former CIA Director James Woolsey told the committee the electrical distribution industry has a proven track record of taking too long to implement its own security standards, pointing out that after the Sept. 11 terrorist attacks, the North American Electric Reliability Corp. took 44 months to implement new safeguards to strengthen the security of the power grid. "World War II took 3 years, 8 months - we went from Pearl Harbor to accepting Japan's surrender," Woolsey said. "It is nuts to suggest that would be effective against an enemy."
Another problem Woolsey sees is that each of the more than 3,000 electric utilities and cooperatives operating in the United States would decide for itself which standards to adopt. "Anyone who is facing an enemy as shrewd as Iran and, I'm afraid, North Korea, with 3,500 generals all going off in different directions, will lose," Woolsey says.