From ISIS to FISMA, A ConversationJim Lewis on Terror Cyberthreat, Stalled Cyber Legislation
Jim Lewis doesn't see Congress doing much legislating on cybersecurity, at least for the remainder of the current session that adjourns at year's end. And the nation won't be much worse off by the inaction.
Lewis, the highly regarded observer of government cybersecurity efforts, says the nation's critical IT would be a bit safer if Congress enacted stalled cyberthreat information sharing legislation. "Not a lot safer -- information sharing has its limits, but it can be useful," he says of information sharing legislation (see Why White House Hasn't Backed CISA).
The director and senior fellow for the Strategic Technologies Program at the Center for Strategic and International Studies, a Washington think tank, also discounts a significant cyberthreat from the terror group Islamic State (see What Cyberthreat Does ISIS Pose?), in a wide-ranging interview with Information Security Media Group.
"The people who make up the terrorist groups are psychotic, and they want physical violence," he says. "Cyber-attacks don't do it for them, right, don't scratch the itch, don't meet their strategic goals."
The Real Threat
In the interview, Lewis:
- Explains why nations such as China, Iran and Russia pose a greater cyberthreat to American and Western information technology than do terrorists. Nation stations have the financial resources and technological know-how that terrorists groups lack. "If those countries were not active against us in exploiting networks, the bulk of the problem would go away."
- Discusses the growing pressure for Congress to enact a federal data breach notification law, although action on such a measure this year is unlikely (see Push on for National Breach Notice Law). "When you get Target and Home Depot and a bunch of others, people are beginning to complain in a way they've never complained before. And if there is some type of disruptive action, which we can't rule out, I think you're going to see much faster movement."
- Tells why it's not crucial for Congress to pass legislation to reform the Federal Information Security Management Act, the 12-year-old law that governs federal government IT security (see FISMA Reform Awaits Another Day). "A lot of the impetus for FISMA reform has gone away because the government hasn't waited for Congress to act. A lot of the motivation we had, say in 2012, just doesn't exist anymore."
Before joining CSIS, Lewis worked at the departments of State and Commerce as a foreign service officer and member of the senior executive service. His government experience includes work on a range of politico-military and intelligence issues. An internationally recognized expert on technology and strategy, he led the Commission on Cybersecurity for the 44th Presidency that produced a report that helped guide the Obama administration in creating its cybersecurity policy.