This morning, the House Energy and Commerce Committee’s Subcommittee on Communications and Technology held a hearing on the subject of cybersecurity of the nation’s communications infrastructure, and the responses of the private sector.
Testimony was heard from Larry Clinton, President and CEO of the Internet Security Alliance, Bill Connor, President and CEO of Entrust, Robert Dix, VP of Government Affairs & Critical Infrastructure Protection, James A. Lewis, Director of the Technology and Public Policy Program at CSIS, and Phyllis Schneck, VP and CTO of Global Public Sector at McAfee.
Among the consistent themes throughout the hearing was support for increased information sharing between the government and private sector on cyber threats. Rep. Eshoo (D-CA) announced her support for Rep. Mike Rogers’ Cyber Intelligence Sharing and Protection Act of 2011. The bill currently has 54 co-sponsors across partisan lines.
This support was also echoed by those testifying today. Bill Connor stated that the current system of one-way information sharing is untenable and needs to change, and Larry Clinton and James Lewis suggested the Rogers’ bill was a good place to begin in this area.
Schneck noted that data exchange is crucial to being able to combat these threats – both data from government and private companies, and that some laws prevent companies from sharing this data. She did note that this push for sharing must be tempered with proper privacy assurances.
The panelists largely seemed to eschew government-set standards in favor of industry developed ones, though Lewis observed that not holding critical infrastructure to some standards will “guarantee an attack.” Clinton recommended an independent authority to not create standards but to evaluate them. And Rep. Terry (R-NE) said it would be quite difficult to set standards in this area as “before the ink is dry on the bill the standards have changed.”
A few other random nuggets from the hearing:
- In response to Bill Connor’s account of the ZeuS and SpyEye “merger,” Rep. Walden joked that it should have gone through FCC review, thus guaranteeing it would never have happened
- Corroborating the points raised by various Representatives in their opening remarks regarding education being a high priority in cybersecurity, Robert Dix explained that 80% of cyber vulnerabilities are result of no or poor cyber hygiene
- Larry Clinton’s remark that with cyber, we’re “dealing with the invention of gunpowder. Mandating thicker armor won’t work. Government needs to engage private sector, not control what it does.”
- James Lewis made an interesting point regarding increased reliance on mobile devices. He recounted a discussion with a hacker who informed him the software “tool” for hacking an iPhone costs twice what it costs for other smartphones ($20,000 vs. $10,000). This was in the context of his suggestion that we’ll see an increased role to be played by service providers, such as telcos.
With the subcommittee largely receptive to what the panelists had to say and the broad support that exists for it, I think there’s hope that one of the first legislative steps we’ll see in this area will be the adoption of the Rogers bill.
You can watch the full hearing here.