More calls for government action on Internet security

During yesterday’s hearing of the Senate Committee on Commerce, Science, and Transportation, a panel of security experts urged the government to do more to push public and private sector action on critical infrastructure protection and Internet security, although those testifying differ on the exact role the federal government should play in encouraging that action. James Lewis of the Center for Strategic and International Studies repeated before the Committee his argument that federal regulation is needed to achieve the levels of participation sought among private sector organizations. His testimony included an analogy — familiar to anyone who has heard Lewis speak publicly in recent months — likening the need the government to regulate better cybersecurity to the historical regulatory action to promote safety in the automobile industry, and arguing that it is no longer feasible to rely on voluntary adoption of best practices and market forces. Michael McConnell, former director of national intelligence and currently with government contractor Booz Allen Hamilton, expressed similar views and concluded that private industry could no longer credible advocate a hands-off role for government. Other panelists were more circumspect in their choice of words and recommendations, such as Oracle Chief Security Officer Mary Ann Davidson, whose prepared remarks largely expressed support for things that Congress is actively doing, such as increasing funding for education in information security skills and trying to design software and technology products that are built to be more secure. Admiral James Arden Barnett, Jr., the Director of the Public Safety and Homeland Security Bureau of the Federal Communications Commission (FCC) also sees a role for government intervention, and focused his remarks on the possible role the FCC can play in critical infrastructure protection, including serving as the point of information on network outages and related issues collected from broadband service carriers. Scott Borg, head of the  U.S. Cyber Consequences Unit (a non-profit research institute), while noting the problem of market failures resulting in under-addressed aspects of cybersecurity, warned that the technical landscape changes so quickly that there is no practical way for the government to keep up if it tries to impose standards. None of the positions expressed were inconsistent with the emphasis on strong public-private partnerships to advance cybersecurity advocated by Committee Chairman Sen. Jay Rockefeller, who with co-sponsor Sen. Olympia Snowe drafted a piece of legislation titled the Cybersecurity Act of 2009 (S.773) that would codify and strengthen federal oversight roles on security, including elevating the federal cybersecurity czar to a Cabinet-level position. There were few voices at this hearing representing arguments by industry that financial incentives are a better alternative to regulation, or concerns raised by privacy advocates and free market proponents. The pervasive theme in yesterday’s hearing was the sense of urgency for the government to act, due to the ongoing threat environment and the potential for a serious attack attempt against U.S. critical infrastructure.