Homeland Security Watch

News and analysis of critical issues in homeland security

February 27, 2012

A discussion on cybersecurity legislation

Filed under: Cybersecurity — by Arnold Bogis on February 27, 2012

Last week, the George Washington University’s Homeland Security Policy Institute (HSPI) held a “Conversation on Cybersecurity Legislation with Mike McConnell, Michael Chertoff, and Senior Congressional Staff.” Video of the event, along with background materials, can be found here: http://www.gwumc.edu/hspi/events/cyberPRF413.cfm

On one hand, the sausage-making portion of the discussion with congressional staff was interesting, if not too enlightening to one uninitiated in the dark legislative arts. On the other, former DHS Secretary Chertoff and former DNI McConnell seemed to echo some of Phil’s framing of the cyber issue in his last post.

Obviously, these two men fall into Phil’s descriptive pot “Those that may make money on increased attention to cybersecurity are in favor of the current proposal.” In fact, both gentlemen agreed that the current legislation is a start, but that more is required.  To be fair, both also have extensive knowledge of the threats and vulnerabilities involved in the cyber domain.

More interesting, to me at least, was their description of the issue of regulation vs. collaboration that serves to reinforce Phil’s frame.  To paraphrase Chertoff: “how can you expect a company that is worth $10 million to voluntarily spend $1 million on cyber security, despite the fact that the cascading vulnerabilities could cost the nation $10 billion?” While McConnell discussed the military’s initial aversion to Goldwater-Nichols reforms, now credited with producing a superior fighting force that not only collaborates because they have to, but because of the specific design of the system such cooperation is something they now want to accomplish.

Phil characterized it in his last post:

While the efficacy of the new bill is debatable, it is clear the current approach — depending almost entirely on voluntary collaboration — has not worked. The weakest links in the cybersecurity system are the least willing to show up, talk turkey, and truly collaborate in sharing information and changing behavior. What do you do when “pretty please”, earnest presentations on self-interest, and peer pressure do not work? What do you do when neglect by one “house” on the block endangers the safety of the entire block (or city)?

Sanctions are needed. But no matter how tough, sanctions will not be sufficient. Whatever sack of sanctions are available, unless the sanctions are used to craft collaboration (rather than mere compliance) cybersecurity will not be enhanced.  The threat of regulatory sanctions may encourage collaboration, but a rigid regulatory approach alone will only achieve minimal compliance, which in cyberspace will always lag behind new threats and vulnerabilities.

If you are interested in cybersecurity, I would highly recommend going back and re-reading Phil’s piece with his intriguing suggestion that cybersecurity lessons can be derived from the model of the Coast Guard: http://www.hlswatch.com/2012/02/24/creating-a-cyber-coast-guard/

Then watch the HSPI event, which may shed some light on the competing legislative priorities and processes that may, hopefully, someday result in a bill: http://www.gwumc.edu/hspi/events/cyberPRF413.cfm

Update:

One new item from today and one a few days old (h/t to Bill Cumming) on the cyber front.

The Washington Post reports on the tussle between the White House and NSA over the access and monitoring for threats/privacy rights divide:

The National Security Agency has pushed repeatedly over the past year to expand its role in protecting private-sector computer networks from cyberattacks but has been rebuffed by the White House, largely because of privacy concerns, according to administration officials and internal documents.

The most contentious issue was a legislative proposal last year that would have required hundreds of companies that provide critical services such as electricity generation to allow their Internet traffic be continuously scanned using computer threat data provided by the spy agency. The companies would have been expected to turn over evidence of potential cyberattacks to the government.

NSA officials portrayed these measures as unobtrusive ways to protect the nation’s vital infrastructure from what they say are increasingly dire threats of devastating cyberattacks.

But the White House and Justice Department argued that the proposal would permit unprecedented government monitoring of routine civilian Internet activity, according to documents and officials familiar with the debate. They spoke on the condition of anonymity to describe administration deliberations; internal documents reviewed by The Washington Post backed these descriptions.

A few days ago, the Government Security News website reported on remarks by former NSA and CIA Director Michael Hayden that covered topics not usually associated with cyber issues: mitigation, response, and recovery:

So, when Hayden says the U.S. may be spending too much time thinking about cyber vulnerabilities and not enough time thinking about the actual consequences of a successful cyber attack, it probably makes sense to pay attention.

“We may be at the point of diminishing returns by trying to buy down vulnerability,” the general observed. Instead, he added, maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can “self-heal” or “self-limit” the damages inflicted upon them.

“I cannot stop them at the perimeter,” Hayden acknowledged, “so, how do I deal with the fact that they are on the inside.”

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn

4 Comments »

Comment by William R. Cumming

February 27, 2012 @ 7:38 am

IMO what has not worked is not the voluntary aspects of the current system but the fact that end-users, whether public or private, have had to bear the full costs, direct and indirect, of lack of adequate security measures for any level being made available by the production side of the technology. This in fact is an involuntary process imposed by those making the technology available. There is a cost or costs to any technological change but while the benefits may be clear little effort is made to even explore the costs and who will bear them.
An example! The actual clean-up costs of the nuclear weapons complex in the USA is $1-2 Trillion. Deterrence seems to have prevented nuclear attack in the past on the USA. But the inordinate expansion of the nuclear inventory–ability to destroy most of the world several times over–never had its costs exposed to public debate.
So for example, is there any open source discussion of the US government adoption of Microsoft products as compared to some others? Or as compared as to what Microsoft might have accomplished security wise?
And to state that McConnell and Chertoff understand the spectrum of cyber security issues is laughable!

Comment by Philip J. Palin

February 27, 2012 @ 8:45 am

There are two related pieces in today’s Wall Street Journal. WSJ is unfriendly to linking, but you can try to access at

NSA Chief Seeks Bigger Cybersecurity Role (refers to HSPI forum)

Cybersecurity 2.0 This is a commentary by L. Gordon Crovitz looking at both the Lieberman/Collins proposal and the prospective McCain proposal.

In regard to the cost question: In the past we assumed that those who would reap the benefits would also bear most of the costs. But in the past catastrophic costs were mostly contained to individual users. One rusty freighter sinking in a gale would not threaten international commerce. In cyberspace the vulnerability of one can expose all to systemic risk. The cost-benefit equation becomes very, very complicated.

Pingback by Library: A Round-up of Reading | Res Communis

February 27, 2012 @ 4:38 pm

[...] A discussion on cybersecurity legislation – Homeland Security Watch [...]

Comment by The Doomsayer

February 28, 2012 @ 8:25 am

W/fellas like Chertoff and McConnell as William Cumming points out, We feel much more secure here on “Main Street USA” – much like the umbrealla of ObamaCare, Inc.

Let’s begin to address real issues with enlightened and intelligent folks who we should be recruiting for these Al Gore types just don’t lend to really understanding the global complexities and the reality of across the board vulnerabilities.

Chinese leadership is comprised of scientists and engineers…it is their modern nuclear submarines now sailing in the Atlantic off Cape Cod and We are weary of and their pledge to build the first colony on the moon’s surface and we here on “Main Street USA” shutter to think of looking to the moon and seeing a neon Chinese flag glowing from the moon’s surface, while our electric grid and ATM’s and electric cars and so much more….all at the mercy of those who seek our demise and if it were not for the dedicated NSA and other agency personnel so committed 24×7 to protecting ‘ol Glory while Barry obama et al continues in his direct intent to undermine the US constitution, We here on “Main Street USA” would be facing far more calamity than present where we have left behind, a nation now bankrupted $15 trillion in federal reserve notes by “Mr. Barney” and “Smug-smiled Pelosi et al” – look around — these types of folks are the “entrusted” folks We have placed in such positions without recall initiatives in place and enabling this dysfunctional and less than transparent – charade – to continue while drones may be launched from off the east coast or our local Starbucks identified as a target simply because the fools we have given far too much credibility in positions wherte their ineptness create our vulnerability because folks…whether you understand the substantial threat of cyber attack….and the ability thereof which currently exists…a Chicago community organizer w/such narrow perspective can’t cut it and certainly not a former Governor of Massachusetts who led a charge at the Olympics…

Where is Winston Churchill?

McConnell, Chertoff et al….com’on folks. What a sitting target we have only our selves to blame. We have so many more accomplished, knowledgeable individuals, men and women who should be spearheading any such discussions, not some less than JV hopefuls!

Yes, the flag on the front porch still flies upside down depicting the distress we now face and it now flies half staff for the clock ticks and We are closer and closer to calamity and the lack of prmoting articulate folks who understand the subject and the National Security issue at hand….

God Bless America! Our Beloved Republic! Besieged from within by incompetence and the undesireables who in their self-serving ways in clear potrayal have shopwn just how vulnerable we are and the cyber attacks will become more evident. We have a Responsibility to protect our nation and Our Constitution and to be aware of the dire warnings conveyed to us by the wisdom of our esteemed forefathers!

(Chris)topher Tingus
PO Box 1612
Harwich (Cape Cod), MA 02645 USA
chris.tingus@gmail.com

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>