NSA Seeks Tighter Info Security for Agencies,

March 22, 2012

By ZACHARY FRYER-BIGGS | Defense News, a Gannett Company
March 22, 2012

Experts, companies and legislators agree that U.S. companies and infrastructure are at risk as an ever-increasing barrage of cyber attacks threatens to compromise networks and pilfer secrets. They concur that legislation is needed to begin addressing what is an asymmetrical and highly successful equation for attackers. There ends the accord.

With two vastly different Senate cybersecurity bills — one of which is expected to reach floor debate in the next several weeks — circulating in Congress, the tactics that would best slow the advance of cyber attackers are the subject of fierce debate that could derail both bills. But the need to have a legislative starting point is being emphasized by the Defense Department, and experts said that doing nothing has the greatest pitfalls.

“Great becomes the enemy of good enough, and because we’ve never gotten started, we’ve never had a baseline from which to get started,” said retired Air Force Maj. Gen. Dale Meyerrose, former chief information officer for the Office of the Director of National Intelligence.

“With government there’s usually a crawl, walk, run, maybe even a trot in the middle there, in order to move things forward and make progress,” he said.

Speaking about the bills at the Credit Suisse Pentagon Conference on March 8, Deputy Defense Secretary Ashton Carter said that action was more important than specifics.

“There are several different flavors and I have my favorite, but it’s immaterial,” he said. “We need to do something.”

The bills

The first bill, a bipartisan effort led by Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, would apply a set of cybersecurity standards to many of the private companies that hold nearly 90 percent of the U.S.’ infrastructure. The standards would be overseen by the Department of Homeland Security, which would also take on a critical role exchanging threat information with defense contractors.

Having DHS set and maintain security standards, as well as protect sensitive private-sector threat information, could be a problem because of a lack of trust and confidence in the agency, experts said.

“I think DHS has a lot of problems, and they have not proven themselves to be effective in the cybersecurity arena,” said Jeff Carr, CEO of TAIA Global, a cybersecurity company. “I have no confidence personally that without major changes in the bureaucratic structure of DHS that they’re capable of managing or making improvements in this area.”

The second bill, a Senate Republican effort led by Sen. John McCain, R-Ariz., would create no additional standards or heap responsibility on DHS. It focuses purely on information sharing, a solution backed by the business community as it would avoid additional costs.

“I think that there’s a realization with McCain with providing an alternative that is also supported by the Chamber of Commerce, representing the private sector, that there needs to be complete awareness as they formulate these bills to know what the impact will be, as far as resources required to comply with regulation,” said retired Air Force Lt. Gen. Harry Raduege, former Defense Information Systems Agency director.

Raduege, who leads Deloitte’s Center for Cyber Innovation, said that sharing intelligence, paired with better legal protection for companies that return the favor, could have a significant impact on security.

“What the McCain bill is trying to show is that additional information sharing in exchange for protection from lawsuits would open up a cleaner and better dialogue,” he said.

Other experts said this approach is inadequate because companies would have no incentive to further invest in cybersecurity.

“I can only guess that the motives are political, because the bill itself is not doing anything,” Carr said.

Carr pointed to the business-friendly stance the McCain bill takes, which avoids requirements as its primary purpose. “Nobody’s really trying to cure cancer here,” he said. “What they’re trying to do is keep the drug companies making a profit.”

The obstacles

“The people who say that neither of these bills goes far enough are absolutely correct,” said Meyerrose, general manager for cyber information assurance at Harris.

Meyerrose is not optimistic that legislative change will happen. While in the military, he worked on bills that were designed to improve cybersecurity efforts, but none passed. He sees the current landscape, with the debate over regulation versus company flexibility, unchanged.

“I don’t see anything that’s changed in our legislative approach that leads me to believe that we’re going to get much further on this one,” he said. “The debate about the role of government versus private industry in cyberspace is no different than the debate that we’re having in other parts of our lives. That’s why I’m pessimistic that any one of these is going to get through.”

Lieberman has spent several years producing iterations of the current cyber bill, and although Senate Majority Leader Harry Reid, D-Nev., has said that he will get the bill to the floor for debate, the presence of the McCain bill could create another roadblock.

Even if the Lieberman-Collins bill passes the Senate, Republicans, who control the House of Representatives, favor a threat-sharing approach instead of regulation.

Inaction is potentially devastating, Raduege said.

“There’s too much at stake to let this go without organizing our nation,” he said. “Left by ourselves, we’re not going to get the kinds of mechanisms and authorities that we need. The series of issues and potential expenses are so large that we need to have a comprehensive national strategy, and there’s no other place to pull together a national strategy.”

Original Defense News Article

Contact Us

Address : 1905 Twinflower Pt, Suite 200
               Colorado Springs, CO 80904
Phone : (719) 434-7025
Email :