White House proposal could open computer networks to insider threats
Industry group cautions against getting auditors involved in assessing security, instead suggesting financial incentives for strong company-enforced safeguards.
A White House cybersecurity proposal that requires auditors to evaluate the protection of critical networks could actually make those networks more vulnerable by opening them to new insider threats, an industry group representing many federal technology contractors said Friday.
Lawmakers currently are evaluating draft legislation from the Obama administration that, among other things, would increase oversight of critical infrastructure, or private sector networks that support the foundations of society, such as power and communications. Under the proposal, covered companies would be responsible for mitigating threats, but third-party inspectors would assess their control over those risks regularly.
"The single largest vulnerability of our cyber systems comes not from hackers using technology to break into systems, but from insiders with approved access to the systems," Larry Clinton, president of the Internet Security Alliance, which represents industries with a stake in online security, told House members at a Homeland Security Cybersecurity, Infrastructure Protection and Security Technologies subcommittee hearing. "This proposal creates a virtual army of insiders crawling through our most critical infrastructure's security systems on an annual basis."
The alliance's members include government contractors such as Lockheed Martin Corp., which recently sustained a "significant and tenacious attack" on its networks that company officials said they successfully contained.
Clinton suggested replacing audits with cyber insurance that would provide businesses an economic incentive to heighten protections on their own. Committee members seemed to agree with the concept.
"They can justify to their shareholders that [cybersecurity] has bottom-line effect through the use of insurance," said Rep. Dan Lungren, R- Calif., chairman of the subcommittee.
Typical insurance policies do not cover cyber events, Clinton said, noting that establishing a government reinsurance program could help stimulate a private cyber insurance industry. He said reinsurance programs could be phased out when the market gains enough expertise in administering coverage.
"The best way to do it is to make the system so that the organizations want to invest in security, so that they see it in their own self interest," Clinton added. "My daughter drives more carefully because she wants a good driver discount," he said in providing an example of the financial incentive companies would have to practice good cyber hygiene.
The U.S. cybersecurity posture could benefit from such individual company insurance, too. Companies that share information about breaches they experience might be given lower rates, Clinton said. "Right now the federal government is carrying all the risk of a major event," he said. "That is bad risk management."
The White House proposal includes several financial bonuses and economic punishments but does not address insurance. Companies that fail their annual security tests would be named publicly, which could damage their brands or upset investors, administration officials said recently. Also, firms that perform well might be eligible for more government business.
Federal officials were not invited to Friday's session. During three recent hearings held by other committees to evaluate the White House's draft legislation, both industry and administration representatives testified.
"We've had a number of discussions with the administration already and have followed their testimony thus far," Lungren explained to Nextgov in a statement. "We wanted to hear from nongovernmental experts as to the perceived impacts of the proposal. As the proposal includes regulatory sections, we think it's important to get the perspective from those private sector folks that would have to live under the regulation."
Late Friday, Homeland Security Department officials said it already is common practice for companies to hire outside security firms to test and upgrade their cyber defenses.
Under the proposal, critical infrastructure companies would enter into agreements with certified professional security businesses in the same way they enter into contractual arrangements with financial auditors and law firms, they added. Officials said the model envisioned would achieve an objective, safe evaluation without expending much additional government money.
They added that the proposal would create standards of care for cybersecurity that would help drive an insurance market in the sector.
NEXT STORY: Hacker groups snipe each other