On Monday morning, President Obama appointed Phyllis Schneck, a vice president at the cybersecurity firm McAfee, as the next Deputy Under Secretary of Cybersecurity at the Department of Homeland Security (DHS). At first glance the appointment of a private-sector expert seems like it could improve DHS’s approach to cybersecurity. Real cybersecurity improvements, however, will only take place if the Obama Administration fundamentally changes course and abandons its unreasonable regulatory demands.
Such a change is highly unlikely. As it stands, the President’s executive order (EO) on cybersecurity encourages regulators to regulate the cybersecurity of the private sector. With the threat of regulation hanging over the private sector, the EO, no matter who is overseeing it, will not build the true public-private partnership the U.S. needs for reliable cybersecurity.
Issued in February, the EO calls for the National Institute of Standards and Technology (NIST) to create a list of cybersecurity standards. DHS and other departments are then to create a voluntary program to promote the adoption of these standards by the private sector. The Administration recently announced some of the incentives it is considering, of which several are noteworthy:
- Offering certain preferences in federal grants and cybersecurity assistance,
- Promoting cybersecurity insurance in the process, and
- Providing public recognition to companies that participate.
While these incentives may encourage some private involvement in the program, the EO cannot provide crucial incentives including liability, regulatory use, and Freedom of Information Act (FOIA) protection. Only Congress can offer these protections, and without them, many businesses will be afraid of having to fight court cases and bad press for merely trying to cooperate on cybersecurity. While it is good to know that Phyllis Schneck, someone who knows the private sector, will be leading the development and implementation of this system, critical limitations remain.
Perhaps most importantly, the EO allows and encourages regulators to make the “voluntary” NIST standards into mandatory requirements using their existing authority. A mandatory system not only has the potential for large costs and a compliance-over-security mindset, but it also destroys true partnership and cooperation. After all, forcing someone to do what you want isn’t usually viewed as cooperation, but coercion.
Instead of coercion and limited incentives, the U.S. should pursue cybersecurity policies that promote real cooperation and security. A truly voluntary system of cybersecurity information sharing, with appropriate legal protections, will enhance the security of the private and public sector by spreading information on cyber threats and vulnerabilities so that organizations can avoid or mitigate them.
Additionally, the U.S. should consider allowing the private sector to engage in some degree of active cyber self-defense beyond merely defending its firewalls. Such a policy, known as “hack back,” would allow companies to follow and trace hackers through cyberspace and engage in limited acts of counter-hacking. This policy would help deter hackers from, and punish them for, attacking U.S. computer systems and, in cooperation with law-enforcement, increase arrests and prosecution of hackers. Of course, since hacking back will inevitably cross into foreign servers and networks, a careful examination of domestic, foreign, and international law will be necessary to understand the legal implications of hack back.
Phyllis Schneck’s appointment is an opportunity for the Administration to change direction and truly embrace the private sector’s role in cybersecurity. The Administration will likely squander it. Instead of imposing a top-down set of standards that will not enhance U.S. cybersecurity, the U.S. should pursue constructive policies that leverage the strength and resources of both the private sector and the government.