Policy experts discuss cyber security at The George Washington University. (Eddie Rios/Medill)
WASHINGTON – Cyber security legislation needs smarter regulation with room for technological innovation in the private sector, a former Homeland Security secretary said Wednesday. The bill should raise the bar on private security capability and serve both business and national security interests.
Former Homeland Security chief Michael Chertoff and Vice Admiral Mike McConnell, one-time director of National Intelligence, discussed the cyber security legislation introduced last week by Sen. Joe Lieberman, I-Conn., last week.
The Cybersecurity Act of 2012 would expand the Department of Homeland Security’s power to identify potential threats and also set regulations for private companies operating critical networks, requiring them to improve security or face penalties.
McConnell and Chertoff spoke about the cyber bill in a roundtable discussion with senior congressional staffers at George Washington University’s Homeland Security Policy Institute, a nonpartisan think tank that develops strategies to prevent current and future threats.
Chertoff, a lawyer who headed homeland security under President George W. Bush, wants better information sharing between the government and the private sector and investments in a skilled workforce capable of combating potential threats. He also favors technologies that can quickly deal with possible attacks, rather than playing “catch up with threats we have already seen.”
Chertoff offered support last week for Lieberman’s bipartisan bill. Testifying before the senator’s homeland security committee, he called looming cyber threats “one of the most seriously disruptive challenges to our national security since the onset of the nuclear age 60 years ago.”
On Wednesday, Chertoff said the presumption of openness and security across the Internet posed challenges to how national security operates. The focus of legislation, he said, should be on high-risk threats to the nation’s networks and ability to combat such threats in real time.
He said the true victims of cyber threats are the private sector, not necessarily government agencies. He said the control systems of private sector companies are among the highest targeted areas for attack.
The decade-long theft of a Canadian communications company’s data, and the Stuxnet threat in 2010, casts doubt in the public eye about the nation’s cyber protection capabilities, Chertoff said.
“In the world of cyberspace, it is much more complicated,” he said. “The battlefield is not just at the border or overseas. The battlefield is at home, and it takes place in the private sector’s own networks.”
Chertoff said the rise of hacktivist groups like Anonymous that have disrupted federal and private activities over the past couple of months are becoming a problem for national protection. He said there needs to be incentives for private companies to partake in information sharing to subdue worries about how protected companies’ data are.
But Sen. John McCain, R-Ariz., also speaking last week, shot down the legislation, saying it gave the department of Homeland Security — part of President Obama’s cabinet — too much regulatory power. McCain and his allies intend to introduce their own bill, giving more authority to the National Security Agency and the U.S. Cyber Command, a subunit of the United States Strategic Command that conducts military cyberspace operations to protect the defense department’s information networks.
The overarching concern with the cyber legislation deals with who should hold regulatory authority: the National Security Agency, which has the capacity to subdue threats, or the Homeland Security Department, which would get expanded authority over protecting the private sector.
McConnell, who directed the National Security Agency in the early 1990s, said the competing bills were “absolutely necessary but insufficient.”
He pointed to voluntary information sharing between agencies and the private sector as a primary weakness and called for a mandated transparency. He said unless it is mandated or incentivized, sharing would not happen.
He expressed concern that the debate over cyber security legislation will continue until “something happens that galvanizes the nation like 9/11 did.”
