Politico’s Morning Cyberssecurity newsletter had a short article about the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing which occurred yesteday. The hearing was focused on the current state of the Department of Homeland Security’s private sector engagement on cybersecurity. At the hearing, Politico said that subcommittee chairman John Ratcliffe (R-TX) asked the five witnesses to “name the one thing they’d tell the government to focus on the most.” The answers give insight into what is wrong with the cybersecurity industry.
From Politico (I changed the formatting to be bullet points instead of their original paragraph-style formatting, but did not change any of the statements):
He got five different answers.
- Daniel Nutkis, CEO of the HITRUST Alliance: he would like guidance about what the industry role should be.
- Scott Montgomery, chief technologist at Intel Security Group: Developing a well-trained cyber workforce should be highest on the government’s list .
- Jeffrey Greene, who runs global government affairs for Symantec: The Trump administration should specify that the Homeland Security Department will remain the civilian government leader on cybersecurity.
- Ryan Gillis, a vice president at Palo Alto Networks: the government should focus on implementing existing cyber laws.
- Robyn Greene, policy counsel at New America’s Open Technology Institute: The Trump administration shouldn’t water down privacy protections under the landmark 2015 information sharing law.
The fact that there would be 100% disagreement on the most important thing shows that industry, as a collective, doesn’t know what the most important things are. Additionally, some of these answers are just terrible. First of all, saying that the Trump administration should release a statement doesn’t really move the needle on helping to protect our critical infrastructure. While it would be good (I don’t think moving critical infrastructure protection to the Department of Defense, as Trump has intimated he’d like to do), it’s more of a checkbox item than something that moves us forward.
I’m a big proponent of privacy rights, but again, how does maintaining a law passed two years ago qualify as the most important thing we should do moving forward? Even if the Cybersecurity Information Sharing Act (CISA) was a game-changer in improving our security, it would be the information-sharing parts of the law that would improve the security of our critical infrastructure, not the fact that the sharing was done in the confines of protecting people’s personal information when cyber threat information was shared.
I could maybe understand the argument that government should focus on implementing existing cyber laws, but it’s not quite there. First of all, you can’t make an organization or an industry secure just by passing a law saying they need to be secure, or saying they need to do X, Y, and Z. You can’t legislate your way to security. You may be able to legislate your way to compliance, but that is not the same thing. And, laws by themselves don’t accomplish that. Laws can lay the groundwork, but it takes individuals, organizations, and industries having a sustained focus on building a secure infrastructure for productive changes to happen.
The other two answers, however, at least do provide a blueprint for moving forward, and I could make an argument for each of them to be important. Identifying what roles private industry and the government will play and developing a larger workforce of more qualified individuals. I could make an argument for either of those being worthwhile as the first priority government should focus on, but that’ll have to wait for another post someday.
Workentin's Cybersecurity Blog 