Senator: Industry needs to educate Congress on cyber

Sen. Mark Warner, one of the most tech-savvy members of Congress, said industry should help him and his colleagues better understand technology so they can design smarter cyber policy.

 

Sen. Mark Warner (D-Va.) said Congress needs to take a more holistic approach to cyber legislation, with industry's help.

One of the most tech-savvy members of Congress said industry needs to educate him and his colleagues so they can make better cyber policy decisions.

Sen. Mark Warner (D-Va.) made a fortune in the 1980s as co-founder of the company that became Nextel and as a technology investor, but he said cyberspace is a daunting challenge even for him.

"Cyber, because it touches so many different aspects of our life, is very hard to wrestle with from a policy standpoint," he said at the Army Cyber Institute's CyCon U.S. conference in Washington on Oct. 21.

Warner said policymaking isn't helped by the number of congressional committees that oversee cyber in one way or another.

"In the last year alone, nine separate congressional committees held more than 20 hearings on cyber-related issues," he said. Despite all that activity, "the Congress of the United States has only passed one significant piece of legislation regarding cyber [since 2000], and that was a relatively watered-down...voluntary information-sharing bill."

In an effort to change that, Warner co-founded the Cybersecurity Caucus, which seeks to look across committee lines and approach policy on a more holistic basis.

At the recent conference, he called on industry leaders to help in five areas: by providing members of Congress with a cyber 101 education, by working to resolve the encryption standoff, by coming up with a clear and concise list of cyber hygiene practices, by improving the procurement process and focusing on replacing rather than patching legacy systems, and by devising policies to help recruit and retain talented cyber workers in the public sector.

On the topic of encryption, Warner said he understands the arguments on both sides, but it's imperative that the government have the tools to track bad actors. He added that a government-mandated backdoor would only push bad actors to use foreign-designed hardware and software that the U.S. can't touch.

"This is one of those areas where we actually do need as policymakers to step back and put folks like you...on a commission," he told the audience. "Now, traditionally when Congress talks about a commission, that is political speak for a punt. In this case, a short-term punt is the right answer."

He advocated bringing together cybersecurity, computer, privacy and civil rights experts to come to some sort of agreement before another incident occurs that forces Congress to overreact and make bad encryption policy.

Another policy challenge for Congress, and one that Warner said he has focused on, is designing federal standards for notifying victims of data breaches.

"Right now we have 48 separate state laws, and only 12 states have some minimum level of disclosure in terms of data breach," he said. "I know for a long time industry's view was, 'You got a data breach -- let's just sweep it under the rug because it's better to eat those costs than have them into the marketplace,' but that is not an acceptable process going forward. Our information-sharing legislation was a step forward. I think the jury's still out on whether it is sufficient."

One of the main obstacles to designing a breach notification law is that various industry sectors don't want the law to apply to them, Warner added.

"If we're going to do this in a comprehensive way, we've got to make sure all industries are in -- no carve-outs," he said. "Yes, there ought to be safe harbor if you come forward with this information, but if we're going to make sure that we get this right, we've got to have standards" for data breach notification.

Warner said the long-term challenge is building up the government's cyber workforce, which will require experimenting with different compensation models. He added that he is working on a cyber reserve corps, "a series of people with pre-clearance who in the event of a major cyber incident could come from the private sector and surge into the public sector to help us."

He acknowledged that cybersecurity professionals might not want a career in the public sector, but that's why the government must build more flexibility into its security clearance process.

"We've got to have a much easier path in terms of clearances so that people can move from public to private and back to public in a way that is smoother, he said.