A key private-sector leader is criticizing an initiative aimed at securing the Defense Industrial Base as “over-regulation” while advocating incentives, over liability, for filling gaps between private and public assessments of cybersecurity risks.
“The regulation is actually not improving our security, in fact it is anti-security because it is driving away some of our better suppliers who can do their business elsewhere,” said Larry Clinton, president and CEO of the Internet Security Alliance, referring to the Defense Department’s Cybersecurity Maturity Model Certification plan.
Under the plan, issued Friday in draft form, companies looking to do business with the Pentagon would have to certify they meet varying levels of requirements such as those laid out in the National Institute of Standards and Technology’s Special Publication for protecting Controlled Unclassified Information.
Clinton spoke at an event ISA hosted Friday at the Organization of American States where the Cybersecurity and Infrastructure Security Agency’s Bob Kolasky delivered a keynote address.
Both Kolasky and Clinton touted a need for organizations to consider cybersecurity risks as part of their overall business operations while acknowledging a likely “gap” between public and private assessments of cyber risk.
“The takeaway,” Kolasky said, “is continue to push cybersecurity into a risk management conversation, continue to push cyber risk management into an enterprise risk management conversation, continue to focus as much as possible on the thing that absolutely needs to be accomplished.”
Recognizing that organizations have an obligation to fulfill certain business objectives first and foremost is the responsible and realistic approach, Clinton and Kolasky both said, noting that if the level of risk companies deem acceptable is too much for the public, then the government might intervene.
“Some of the difficulty here in the cyber risk management conversation, of course, is risk isn’t always owned by the individual, there’s a collective nature of it,” Kolasky said, stressing a need to determine “what are the tradeoffs, and how do you change the tradeoffs so you can affordably address risks that are most important to your organization.”
Then, he said, “that will allow us from a national perspective and from an international perspective to start to have a conversation about where risks aren’t getting managed, where there’s enough shared risk across functions, where there’s some level of systemic risk, and my theory of the U.S. government is we step in from national security purposes, from national economic security purposes and really push and incentivize and fill gaps for the things that can’t be done just at the business risk management level.”
Following the event, Kolasky told Inside Cybersecurity it was too difficult to set a timeline for when such an assessment might be made. And while he did mention requirements as a type of incentive that might be employed to fill the gaps, both he and Clinton highlighted procurement-based incentives, with Clinton saying these would be particularly good for the DIB.
“We can find various ways to provide incentives,” Clinton told Inside Cybersecurity after the event, noting those would likely “vary from sector to sector,” adding as an example, “if we’re doing this in the defense sector, it would be a procurement incentive.”
But Clinton’s critique of the CMMC suggests the lure of government contracts might not be enough to incentivize companies to implement security measures, if they’re found to be overly burdensome.
“What we’re finding is that many of these key suppliers are simply walking away from doing DOD contracts,” he said. “Because this isn’t like the 1980s, where everybody needed to be part of the DOD system in order to be profitable. So we have some of our best suppliers who are saying ‘we don’t want to participate in these DOD contracts because it ups our cost far too much. We can sell our wares elsewhere without it.’”