ADMINISTRATION’S CYBERSECURITY PROPOSAL WOULD CREATE NEW BUREAUCRACY, SAYS ISA HEAD
The Obama administration’s cybersecurity legislative proposal, submitted to Congress last month, would create an extensive new bureaucracy that would discourage the private sector from investing in cybersecurity, Larry Clinton, president of the Internet Security Alliance (ISA), told a House panel.
Clinton said the administration’s cybersecurity proposal would “create an extensive new bureaucracy that will not address the persistent cyber threats we face” and could “add significant new threats that are not justified by the dubious benefits of the unbounded intrusions into our most critical infrastructure.”
The ISA chief told a House Homeleand Security Committee panel that the cybersecurity proposal would give the Department of Homeland Security “unbounded” authority to regulate private sector critical infrastructure. “At the end of the day, this legislative proposal will allow DHS to regulate pretty much any entity it elects to regulate and mandate whatever DHS elects ought to be mandated”, he said. Clinton also criticized the proposal for focusing on national data breach notification requirements. “Most cyber attack disclosure requirements are founded on misconceptions about what it is companies have available to disclose….In fact, most companies are unable to tell whether they have been the victim of a successful cyber attack unless they make a special effort to investigate, spend additional resources on the effort, and have the necessary skills and tools already on hand.”
At the same time, Leigh Williams, president of the Financial Services Roundtable’s BITS technology policy division, said the roundtable broadly supports the administration’s cybersecurity proposal. For example, the roundtable supports the national data breach notification requirements. “Given existing state and financial services breach notification requirements, this migration will require both strong pre-emption and reconciliation to existing regulations and definitions of covered data”, Williams testified.
At the same time, the Financial Services Roundtable wants to make sure that the authority of sector-specific agencies and sector-specific rules are not usurped by the legislation, which would give the Federal Trade Commission and DHS expanded authority in the cybersecurity area.