The U.S. Congress should focus on voluntary incentives, instead of new regulations, as a way to encourage companies to improve their cybersecurity efforts, although some changes in current laws are needed, a group of Republican lawmakers said in a report released Wednesday.
Incentives from the government could include tax breaks, regulatory relief and protection against lawsuits for companies that embrace cybersecurity standards, said the report, by the U.S. House of Representatives Republican Cybersecurity Task Force.
Cybersecurity experts have told task force members that companies may need a nudge to improve their cybersecurity efforts, but the task force members questioned the need for new regulations, except in limited areas.
"We are generally skeptical of direct regulation and of government agencies grading the security of a private company, which is another form of regulation," the report said. "Threats and practices change so quickly that government-imposed standards cannot keep up. Regulations can add to costs that ultimately come out of consumers' pockets."
The task force, led by Representative Mac Thornberry of Texas, did recommend that Congress "investigate the possibility" of requiring companies to report significant cyberattacks and vulnerabilities as a way to improve law enforcement response.
Congress needs to take cybersecurity seriously, even though it's "not at the top of the public's expressed priorities," the report said. There are weekly news reports of successful cyberattacks, the lawmakers said.
"It is not just national security information that is being stolen from databases in the U.S.," the report said. "All kinds of intellectual property are targeted. Information stolen from U.S. databases equals jobs stolen from the U.S. economy. There are many stories of a small business developing a new product, being hacked, and finding copies of its new product flooding the market at cut-rate prices from China within a few months. We must take steps to protect American ideas."
Thieves are increasingly targeting small businesses, the reports said. "America is under attack," Representative Jason Chaffetz, a task force member from Utah, said in statement. "As a nation we must do a better job of identifying, preventing, and proactively engaging those who would do us harm."
The task force recommended that Congress update the Federal Information Security Management Act (FISMA), from a "checklist exercise" for federal agencies to an effort focused more on automated monitoring of IT systems.
Congress should also expand the definitions in the Computer Fraud and Abuse Act to outlaw more types of computer activity, including the creation of malware, and it should expand the Racketeer Influenced and Corrupt Organizations (RICO) law to include computer fraud within the definition of racketeering, the task force said.
Lawmakers should also make it a crime for a company to intentionally fail to provide required notices of a security breach involving sensitive personally identifiable information, the task force recommended.
Congress should also help create an organization outside of government that can serve as a clearinghouse for information about attacks and vulnerabilities shared among the government and private companies, including Internet service providers and security vendors, the report said. An outside organization would alleviate concerns about government agencies monitoring private networks, the report said.
"These recommendations provide sound, concrete steps to help strengthen our cybersecurity now, while also highlighting issues that need more work," Thornberry said in a statement. "Starting with incentives, information sharing, and updating some key laws can lead to real progress rather than more gridlock like we have seen with larger proposals."
President Barack Obama's administration released its own list of cybersecurity recommendations in May. The Obama plan calls for a national breach notification law, stronger penalties for cybercriminals, and a stronger cybersecurity role for the U.S. Department of Homeland Security.
Several tech groups praised the report.
The task force's recommendations will "result in immediate and positive improvements in our nation's cybersecurity by promoting the adoption of proven cybersecurity practices, standards and technologies," said Larry Clinton, president of the Internet Security Alliance, a group that has championed several similar cybersecurity recommendations.
The House report is the "most detailed and pragmatic public policy blueprint on cybersecurity any government entity has produced," Clinton said in a statement.
Representative Jim Langevin, a Rhode Island Democrat who has focused on cybersecurity issues, also applauded the Republican report and their focus on cybersecurity legislation. Langevin suggested, however, that some new regulations may be needed.
"In some areas of our critical infrastructure, it is clear that the current market is not achieving the security gains we need to address current vulnerabilities and future threats," he said in a statement. "This will require government involvement beyond incentives and voluntary minimum standards."
House Speaker John Boehner of Ohio and Majority Leader Eric Cantor of Virginia created the task force in June.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is [email protected]