To understand the pressing need for effective cybersecurity policies, consider first how much we rely on information technology. In 2010, there were nearly 332 million personal computers in use in the United States — one for every man, woman, and child, with 20 million or so left over. In addition to all those PCs, there were another 148 million enterprise servers, tablet computers, eReaders, and smartphones exchanging both mundane and highly sensitive information across public and private networks. In fact, we rely on information technology for almost everything we do as a society — from personal tasks, such as paying bills and finding our way to new places, to matters central to the public interest, such as operating nuclear power plants and the country’s electricity grid.
Yet our IT systems are under constant attack from a malicious hackers, hacktivists, underhanded cybercriminals, corporate spies, and foreign agents. Symantec’s Internet Security Threat Report for 2010 found that the volume and sophistication of these cyber threats increased 19 percent last year from 2009, with more than 286 million unique variations of malicious software or malware. The economic toll of cybercrime, including direct and indirect costs, now approaches $400 billion globally, according to our 2011 Norton Cybercrime Report.
That’s why BSA earlier this year joined several other industry associations and a leading civil liberties group in offering a series of recommendations to bolster US cybersecurity through an enhanced partnership between the private sector and government. The principles outlined there — on issues ranging from risk-management standards to supply chain security — remain a good guide for policymakers considering how to shape cybersecurity legislation. I had an opportunity to highlight several that are especially important in testimony today before the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, which is considering a draft bill by Chairman Dan Lungren (R-Calif.) that would target federal systems and critical infrastructure. The bill marks a positive step forward in a number of respects:
First, it would promote better coordination between and among federal agencies and the private sector by designating a single entity to be the National Cybersecurity Authority and assume responsibility for coordinating cybersecurity efforts. Today, there are several agencies working on various aspects of cybersecurity, but there is no designated lead. That structure leads to a lack of coordination.
Second, recognizing that not all targets are created equal, the bill would take a risk-based approach to cybersecurity. It would focus attention on critical infrastructure and avoid imposing unreasonably stringent security standards on low-risk entities, such as small businesses. Instead, it would create incentives for enterprises to adopt risk-based performance standards that are developed by consensus and internationally recognized.
Finally, the bill would promote public-private information sharing by making it clear that the government must provide threat information to industry. The bill also would create a new National Information Sharing Organization to facilitate the process. However, questions remain about how we will continue to utilize Sector Coordinating Councils and Information Sharing and Analysis Centers under the proposed framework. This is an important issue to be resolved given the significant time and resources that companies have invested in these entities.
There is no silver bullet for cybersecurity, so there needs to be a shift in the policy debate from “solving” the problem to “managing the risk” associated with it. Effective coordination, risk assessment, and information sharing are critical steps in the process. Chairman Lungren’s bill makes valuable contributions on all of those fronts.