Better policies and practices, not more regulations, are needed to bolster cybersecurity: Think tank

Better policies and practices, not more regulations, are needed to bolster cybersecurity: Think tank

February 15th, 2016, by Jon E. Dougherty

( In December, as part of other legislation, President Obama signed into law the first major bill in a generation dealing with cybersecurity.

As reported by the Christian Science Monitor, the new law is the result of years of debate between government and the private sector about how best to cooperate to improve cybersecurity. It’s passage comes following more than a decade of cyber theft involving both corporate and government systems and resulting in incalculable losses of data. It also comes amid new concerns over terrorism and, in particular, how to identify and track terrorists who often use encryption to hide their online planning activities.

The legislation followed what had been years of political back-and-forth over the broad subject of how best to secure the nation’s information networks, while still maintaining constitutional rights and protections. Most legislation offered was bipartisan in nature, but, as the Heritage Foundation notes in its “Solutions 2016” series, “the fight is not over a need for appropriate cyber legislation; it is over how one defines ‘appropriate.’”

Specifically, the think tank notes, a primary point of “is the degree to which federal regulatory powers should play a role in cybersecurity.”

“Many seem to think reflexively that this 19th-century solution is the answer,” the think tank continued. “Those with a little more understanding of the dynamic and fast-moving nature of cybersecurity see regulation as far too slow and clumsy to be of any benefit and recognize that it might actually hinder security by building a culture of mere compliance with regulations and a false sense of security against enemies who are agile, motivated, and clever.”

Heritage says that Russia is currently the most sophisticated cyber threat, followed closely by China. Others with outsized cyberwar capabilities include North Korea and Iran. “To address this growing threat, the U.S. should leverage the forces of the market, motivating the private sector to make the sort of continual and dynamic investment needed to really secure our diverse networks,” it added.

Analysts identified six areas where legislation by Congress, not regulation through the bureaucracy, would dramatically improve cybersecurity and make it dynamic enough to adapt to emerging threats:

Undertake Stronger International Cybersecurity Engagement. The U.S. should bolster cyber-cooperation with allies and friends, with a focus on coordinating cyber defense and countering cyber operations. The U.S. should lead international efforts to ‘name and shame’ nations that use cyberspace for malicious purposes, either against other nations or their own people,” Heritage said, adding that agreements like the one the Obama administration made recently with China are essentially worthless and serve to undermine U.S. cybersecurity.

“The U.S. response should include ceasing naive cooperation, curtailing visas for guilty parties, and subjecting those with stolen information and intellectual property to criminal charges and other legal action,” Heritage said. “Furthermore, many bad cyber actors also maintain some form of control over the Internet in their country. The U.S. should explore ways to weaken these nations’ grip on the Internet in order to weaken their control of the populace.”

Allow and Encourage the Development of a Valid and Effective Cyber-Insurance Business. “The first step is for the government to encourage the gradual development of liability standards as a result of common-law development and private-sector organizations,” said the think tank. “This is arguably the most difficult step, but if done with industry cooperation, it could hugely enhance security awareness and activities.”

Protect the cyber supply chain. Many computer components are made all over the world, often in countries that are hostile to U.S. cybersecurity concerns (like China). Backdoors can and have been added to products like tablets, laptops and other equipment to allow for cyber espionage.

“A non-government organization needs to be established to evaluate supply-chain practices, operations, and security methods, and its evaluations should be made public. It could ‘give grades’ to a tech company’s supply-chain operation, much as Underwriters Limited, the ubiquitous and nonprofit accreditor famous for its ‘UL’ stickers on everything from toasters to computers, evaluates the safety of other products,” says Heritage.

Consider a Specified and Controlled Cyber Self-Defense Authority. “Today, a company does not know what its rights to self-protection against hackers really entail,” says the think tank. “Who does a hacked company call—local police, the FBI? If it is attacked and has a strong tech capability, can it fight back? No one wants vigilantes rampaging about with no controls or parameters.”

Expand the Push for Real Awareness, Education, and Training. “Tell people the truth about cyber threats and give them the tools to play a role in protecting themselves, their homes, and their businesses. This must be a broad-based effort that reaches every community in America, at all levels.”

Develop and Keep a Superb Cyber-Workforce. Says Heritage: “Cybersecurity affects everyone and everything we do in government, business, and the military. The U.S. needs to promote STEM (science, technology, engineering, and mathematics) education and adjust visa and certification practices to ensure that the best and brightest can use their skills to advance U.S. security.”

See also:

Christian Science Monitor

Heritage Foundation

Leave a Reply