The Obama administration’s new cybersecurity proposal could create counterincentives against better private-sector cybersecurity, according to Larry Clinton, president of the Internet Security Alliance.
Released last month, the White House proposal mandates that the parts of private-sector that operates critical infrastructure would be audited using a range of performance standards. The audits would be publicly available, FierceGovernment IT reported.
However, Clinton said the new framework does not take into consideration the evolution of cybersecurity and the stealthy nature of certain threats.
Today’s threats “go into your system and they hide,” he said, speaking before a June 24 House Homeland Security subcommittee on cybersecurity, infrastructure protection and security technologies. Businesses need incentives to be on the lookout for malware, without the disincentive in the form of publically published audit results.
The harder a company looks for a problem, “the more likely they are going to be named and shamed for finding it, we’ve created exactly the wrong incentives,” he said.
Clinton also recommended a federal revolving fund to stimulate growth of cyber threat insurance. Today, the federal government absorbs all the risk of a major cyber event, he said, and in the event of a web-based attack taking down a major part of the infrastructure, Congress would be stuck with the bill.
During the hearing, Melissa Hathaway, president of Hathaway Global Strategies and former White House cyber official, criticized the White House proposal for the regulatory role over industry cybersecurity it could create for the DHS.
“Inserting DHS into a regulatory role in this context dilutes its operational and policy responsibilities and likely distracts from the nation’s security posture,” she said.