Gov’t panel: No cybersecurity mandates needed

Now is not the time for the U.S. government to mandate cybersecurity standards to private industry, despite significant threats and a lack of understanding by many company executives, a panel of government officials said Tuesday.

The panel of cybersecurity-focused officials, part of a discussion in Washington, D.C., on whether government and private industry are doing enough to protect confidential information, agreed that cybersecurity mandates were not the right way to encourage private companies to adopt cybersecurity best practices. Instead of a so-called “stick,” Congress could develop some “carrot” incentives for companies looking to upgrade their cybersecurity efforts, said Bob Dix, staff director of the technology and information policy subcommittee of the U.S. House of Representatives Government Reform Committee.

The subcommittee is considering several incentives for cybersecurity efforts, including a cybersecurity investment tax credit and a limit on liability for companies adopting cybersecurity best practices, Dix said. A liability limit could include an exemption from Federal Trade Commission (FTC) actions taken against companies that adopt best practices but still leak consumer data, he said.

In late 2003, the subcommittee considered legislation that would have required companies to fill out a cybersecurity checklist in their filings with the U.S. Securities and Exchange Commission (SEC). Even though Dix and Chrisan Herrod, the SEC’s chief security officer, expressed concern over the state of cybersecurity in the U.S., they stopped short of advocating government-defined standards.

Instead, best practices should be defined by private industry, Dix said.

Part of the problem is there’s not general agreement on what cybersecurity best practices should be, Herrod said. “We’re not there yet,” she said, when asked about government mandates. “I don’t think it’s possible to mandate something when you don’t have agreement on what that something is.”

One industry may require different standards than another industry, and a small business may have different cybersecurity requirements than a large business, noted Laura DeMartino, legal advisor for cybersecurity at the FTC. “A broad (government) mandate may not be needed for a company that does not maintain sensitive consumer information,” she added.

Still, panelists said many business executives still don’t give cybersecurity the attention it deserves. “The threat is real, the vulnerabilities are extensive, and the time for action is now,” Dix said.

Herrod said she’s “very disappointed” in the lack of effort between private companies and the government to come up with agreed upon best practices. “I think it’s a lot of talk, and very little demonstrable action,” she said.

Many chief executive officers still don’t see cybersecurity as an important corporate governance issue, Herrod said. “We would love to see information assurance and information security standards as part of corporate governance, but not in the context of mandating them — in the context of every company following the best practices they can possibly put in place,” she said. “I’m very concerned that we haven’t gotten there yet. CEOs in corporate America still don’t get it — they still don’t concern themselves with information security… as much as you would think they would.”

Government’s role should be to create awareness about cybersecurity at all levels of technology users, from large businesses to home users, said John Landwehr, security strategist for Adobe Systems. “Awareness and education, in our minds, is the biggest thing we can do,” he said. “There’s a lot of education we can do at all levels.”