Finding the best way to get the private sector to disclose breaches of its cyber networks and improve protections is a key obstacle toward passing comprehensive national cyber-security legislation, Department of Homeland Security Secretary Janet Napolitano said yesterday.
Napolitano said the government needs to take a “heavily incentivized” approach to get the private sector on board but said reporting breaches is critical to the public interest and ensuing important infrastructure is safe.
“What we are worried about is that you have critical infrastructure, you have financial institutions, telecommunications, you have utilities, all of which are dependent on cyber networks,” Napolitano said at an event hosted by the Washington Post.
“If they are intruded upon and they are shut down, the economic impacts are far greater than the individual private entity,” she said. “In other words, there’s a public interest there that outweighs, in a way, the private sector.”
Napolitano said despite the disagreement, she was hopeful Congress could complete legislation in its current session, which ends in December 2012.
Congress has been trying to move forward. A panel of House Republicans this month issued recommendations that suggested the bill create voluntary rather than mandatory incentives to encourage industry to adopt better security practices and limit burdensome regulations (Defense Daily, Oct. 6).
Industry has been reluctant to publicly disclose security breaches, fearing that doing so could hurt business and be used against them by their competitors, such as if a hacker was able to obtain personal account information from a bank, Napolitano said. Industry has its own economic interests and it can reach “some very exquisitely difficult situations,” she said.
“Their calculus as to what is in the best interest may be different than what’s in the public interest,” she said. “That’s going to have to be worked out.”
“There may be some things that can be done in the middle, kind of lock boxes of information, anatomizing of information, that sort of thing,” Napolitano said without elaborating.
The Republican panel’s recommendations followed a White House proposal in May sent to Congress to establish a framework of priorities for cyber security (Defense Daily, May 13). The Senate has been unable to come up with any type of comprehensive legislation, prompting the White House to release the guidelines.
The guidelines included a requirement that Homeland Security work with the critical infrastructure sector to ensure it has adequate protection, and then work through a third-party auditor to assess the security measures, according to a White House fact sheet. The critical-infrastructure operators would then have to be certified for cyber security.
The White House also cited state laws that require businesses to alert consumers of any cyber breaches that allowed the intruder to access personal information.