A group of 12 Republican lawmakers issued a detailed set of recommendations Wednesday on how the federal government should work with private sector owners and operators of the nation’s critical infrastructures to enhance cybersecurity.
The long-awaited 20-page report by the House Republican Cybersecurity Task Force, led by Rep. Mac Thornberry (R-TX, pictured center above), strikes a similar chord to plans currently being worked on by Senate Democrats and the Obama administration but takes a significantly different philosophical approach, calling for limits on federal regulations, tax credits for companies that improve cybersecurity and a third-party, private-sector run “clearing house” of real-time information on cyber threats.
“We are generally skeptical of direct regulation and of government agencies grading the security of a private company, which is another form of regulation,” the report states. “Threats and practices change so quickly that government-imposed standards cannot keep up.”
The task force also recommends a series of “voluntary incentives” designed to encourage private companies to invest more heavily in cybersecurity.
Among the incentives put forward by the task force is a recommendation to streamline existing regulations, such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley, and the Health Insurance Portability and Accountability Act (HIPAA), into a single performance standard that would satisfy all such regulations. Other proposed incentives include expanding tax credits for companies that invest in cybersecurity, linking federal grant funding to cybersecurity standards, and potentially restructuring the insurance industry that deals with data breach premiums.
Larry Clinton, President of the Arlington, Va.-based Internet Security Alliance, called the GOP report “the most specific and pragmatic blueprint for national cybersecurity policy” that the nation has seen to date. The key to the GOP proposals, Clinton told Breaking Gov, is that they provide incentives to the private sector “to do things we already know work” in cybersecurity.
“The most underreported item in the cybersecurity world is that there is broad agreement that we could solve between 80 to 95% of our cybersecurity problems if we could simply get entities to adopt the best practices and standards we have already developed,” said Clinton.
Liesyl Franz, Vice President, Cybersecurity and Global Public Policy for Tech America, praised the proposed expansion of the R&D tax credit to include cyber investments, which would be a major step forward to getting us back to the top of the list of the R&D incentives worldwide.
“In addition, we welcome the recommendations that promote international cooperation and coordination, improve federal procurement in this area, and bolster a cybersecurity awareness campaign,” he said.
However, Clinton acknowledged that the success of the GOP plan – and any plan, for that matter – will ultimately depend on what incentives Congress can come to agreement on and actually pass in legislation. And that remains a tall order given the rigid ideological divisions that are preventing Congress from passing much more pressing pieces of legislation.
In May, the Obama administration released a comprehensive Cyberspace Policy Review in which the Department of Homeland Security (DHS) would play a central role in identifying risks and threats that private sector-run critical infrastructures would need to defend against. The DHS would also develop privacy and civil liberties policies to be enforced by the Justice Department, take responsibility for managing federal civilian agency cybersecurity, and would be given greater leverage to assist the private sector during crises.
Clinton acknowledged the challenge of finding compromise in the current political environment, but said there is enough common ground between both plans to pass a consensus bill this year.
“This approach is very consistent with what was in President Obama’s Cyberspace Policy Review,” said Clinton. But there are differences in approach, he said. “Some are insisting on doing this massive healthcare-model, comprehensive bill that would include establishing a massive regulatory structure at DHS. But it is just impossible for me to see how this Congress would ever pass that bill,” said Clinton. “So if people are going to insist on that approach, then we’re probably not going to get a bill this year.”