Industry sees coming regulatory 'pause' on cyber

The new White House cybersecurity commission report sets the stage for the next administration to make it easier for companies to share cyber threat information.

Commerce Secretary Penny Pritzker
 

Commerce Secretary Penny Pritzker wants to remove impediments to government-industry cooperation in cybersecurity. 

Even though the White House's Commission on Enhancing National Cybersecurity report is light on regulatory suggestions, companies in a position to share cyber threat information with the government want more assurances they won't face legal consequences if they do so.

The report, said Secretary of Commerce Penny Pritzker in a Dec. 6 speech at USTelecom's National Cybersecurity Policy Forum in Washington, relies on a growing collaboration between the federal government and private industry to strengthen cybersecurity against increasingly technologically nimble attackers.

Meanwhile, many in industry are looking forward to the incoming Trump administration for a regulatory pause.

The 100-page report, which addresses both President Barack Obama and President-elect Donald Trump, calls for immediate and longer-term actions from government and commercial interests alike.

The report includes 53 suggested action items in all, including the creation of an appointed post of assistant to the president for cybersecurity.

Although the commission's report recommends the use of the National Institute of Standards and Technology's cybersecurity framework as a "common language" for risk management for government and industry, Pritztker said more needs to be done.

Getting industry to share cyber threat information has not been easy, because of liability concerns, despite the 2015 law providing some protection for companies. Gaps in that protection remain, Pritzker said.

"We still need to remove structural impediments to collaboration that stand in the way of truly candid conversations on current and emerging cyberthreats," she said. "Today relationships between regulators and the businesses they regulate are inherently adversarial…You cannot blame executives for worrying about what starts as honest conversation might end tomorrow as a 'punish the victim' regulatory enforcement action."

The commission report's recommendations on opening up those conversations, she noted, mirror the telecommunications industry's proposal that the Federal Communications Commission allow companies to voluntarily discuss cyberattacks with government officials under what Pritzker called a "reverse Miranda rule" – meaning that anything companies say cannot be used against them.

That understanding would allow telecommunications carriers to talk freely with federal officials about threats they see without fear of regulatory reprisals tied to possible security flaws.

That approach, she said, could work for regulated infrastructure companies, but it may also be necessary for Congress to pass additional rules cementing the arrangement.

Industry groups at the conference applauded the light regulatory touch the commission recommended, but commission Director Kiersten Todt said regulation wasn't completely out of the question -- particularly when it involves cybersecurity for devices that could potentially endanger human life, such as driverless cars and medical devices. Todt said regulations would be more likely if an industry "can't get its act together" to develop more secure products.

Industry panelists at the event applauded the report, but were still a little anxious about liability concerns in sharing threat information or working collaboratively to blunt a cyberattack with the government. Some said they had found ways to use existing regulations to blunt liability concerns and work with federal agencies.

"We're hoping the Trump administration will take a strategic pause and look for conflicting regulations," said Heather Hogsett, vice president of technology and risk strategy for the technology policy division of the Financial Services Roundtable.

"A pause is a good idea," agreed Scott Aaronson, executive managing director at the Electric Edison Institute. "Regulations need to be aligned" to effectively fight advancing cyberattacks, he said.

The report, however, depends largely on the next administration's willingness to pick it up and run with it.

"My administration has made considerable progress in this regard over the last eight years," said President Barack Obama in a Dec. 2 statement on the report. "Now it is time for the next administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change – both in the United States and around the world."

Todt said she had briefed President Obama on the commission report. The opportunity to brief President-elect Trump, she said, is now open. President Obama, she said, "has reached out to the president-elect" on the briefing.

NEXT STORY: Agencies still aren't acing FITARA