House republicans and senior executives in the telecom industry came out swinging on Wednesday against a forceful government role in overseeing cybersecurity in the private sector.
A panel of witnesses at a House subcommittee hearing spoke virtually as a chorus in voicing their opposition to any new regulatory obligations that would threaten to lock businesses into a static compliance regime and undermine their ability to detect and combat new and emerging threats
Focus on Innovation Not Compliance
"Flexibility is key and it's important because the threats change as rapidly as they do," Jason Livingood, vice president of Internet systems engineering with Comcast, told members of the Energy and Commerce Committee's Subcommittee on Communication and Technology.
As lawmakers wrestle with competing visions for reshaping the government's role in cybersecurity, Livingood urged them to "focus on security and innovation rather than compliance and regulation."
Today's hearing comes as members of the Senate are heading for a debate over two bills that take sharply contrasting approaches to securing the critical digital systems owned and operated by members of the private sector.
The Cybersecurity Act, a comprehensive bill that enjoys a measure of bipartisan support, could come up for consideration on the Senate floor in the next few weeks in a debate that figures to draw sharp criticism from Republican opponents who see a burdensome government mandate in the security standards the bill would establish.
If current plans hold, the Senate debate will include consideration of an alternative and far more limited measure backed by John McCain (R-Ariz.) and several other ranking Republicans. That bill, the so-called SECURE IT Act, confines its focus to removing barriers that inhibit private firms from sharing information about potential threats with other businesses or government entities, as well as some other, uncontroversial provisions such as support for cybersecurity research and development.
That more limited approach has guided much of the debate in the House. At Wednesday's hearing, Rep. Marsha Blackburn (R-Tenn.) said that she has been working with Rep. Mary Bono Mack, a California Republican, to develop a cybersecurity bill patterned after the SECURE IT Act in the Senate, a measure that would eschew any form of government mandate. Warning against the negative results that sweeping legislation could entail, Blackburn said her bill's first aim would be to "do no harm."
The GOP members on the House panel gave full credence to the concern that a regulatory mandate, such as the one provided for in the comprehensive Senate bill, would invite harmful repercussions that could actually undermine the nation's security posture.
"Any sort of legislative effort that would provide overbroad regulation or certification regimes," Terry said, "would have unintended consequences."
Added Florida Republican Cliff Stearns, "Prescriptive, top-down government mandates are not only unnecessary, but they simply will not work."
Making the Complex More Complicated
Industry opponents to new cybersecurity regulations acknowledge the severity of the threats. On that point there is little political disagreement. But advocates of a hands-off approach argue that adding a new set of regulatory and compliance requirements through comprehensive cybersecurity legislation would be counterproductive, only serving to further complicate an Internet ecosystem and threat landscape that already are bewilderingly complex.
"When you write a law we do paperwork," Ed Amoroso, AT&T's senior vice president and chief security officer, told the lawmakers. He and other representatives of the telecom sector on hand to testify on Wednesday argued that as consumer-facing operations, their companies have every incentive to ensure that their networks are secure, and indeed already have robust security procedures in place that would hardly be improved by additional government oversight.
"If we're already doing it and government comes in and says you need to fill out this compliance checklist, you're taking people away [from their work on security]," Amoroso said.
By that approach, the government's role would be confined to facilitating information sharing by removing antitrust barriers and enacting liability protections to shield companies that do share information and maintain a reasonable security apparatus from civil litigation.
"I don't think there's an agency in a position to solve a problem that we can't solve ourselves," Amoroso said. "I'm not really sure what they should be telling us. That's the problem."
The nods of agreement among many lawmakers on the dais at that sort of comment suggested the uphill climb any comprehensive measure that emerges from the Senate would face in the lower chamber.
The information sharing and liability-protection measures are far less controversial. As are proposals that some of the witnesses at Wednesday's hearing advocated, such as efforts to improve the government's own cybersecurity posture, boosting research and development and promoting security in computer education programs.
Business leaders have long lamented the shortage of highly skilled cybersecurity professionals, an inadequacy that can be traced in part to immigration restrictions on highly skilled workers and to shortfalls in education.
"The profession of writing software is one that is a complete mess right now," Amoroso said. "The bottom line is that youngsters and even professionals today cannot write a nontrivial piece of software that is bug-free. And those bugs are the way that our adversaries get into our companies."
So rather than attempt to enact a framework for cybersecurity compliance through legislation, the public would be better served if lawmakers developed a set of incentives to promote education, public awareness and collaboration to respond to an evolving set of threats, he argued.
What's more, an explicit set of security mandates could have the perverse effect of aiding would-be attackers by performing their opposition research for them.
"It would be like every NBA team publishing their defense and saying this is what we're going to do," Amoroso said. "Guess what. Do you think the adversaries don't read your legislation?"
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about government in CIO's Government Drilldown.