Public vs. private cyberattack responsibility debate heats up
Should the federal government combine legislative muscle with fear to pressure private enterprise leaders into funding defenses for a cyberwar? Or should it be up to the government to fund and create a “cyber army” to protect private industry, just as it protects factories and infrastructure in the physical world?
That debate is raised in two reports last week on National Public Radio on the escalating threat of cyberattacks from foreign and terrorist enemies. In the first, reporter Tom Gjelten profiles a public-private partnership called the “Enduring Security Framework,” which began at the end of 2008 and, “brings chief executives from top technology and defense companies to Washington, D.C., two or three times a year for classified briefings.
The purpose is to share information about the latest developments in cyberwarfare capabilities, highlighting the cyberweapons that could be used against the executives’ own companies.”
[See also: U.S. seeking to build international unity around cyberdefense for industrial control systems]
Or, in more colorful terms, “We scare the bejeezus out of them,” Gjelten quotes one U.S. government participant as saying.
At one such briefing in 2010, U.S. officials told business executives, “We can turn your computer into a brick.” That, according to NPR, prompted computer manufacturers to fix a design flaw in their firmware.
But now there is legislation pending that would take it beyond persuasion. In a second story, Gjelten reports on a U.S. Senate bill that would require private enterprises, particularly those that, “control the U.S. power grid, the financial system, water treatment facilities and other elements of critical U.S. infrastructure,” to improve their cybersecurity capabilities.
The leading backers of the bill are Sens. Joe Lieberman of Connecticut and Susan Collins of Maine, among others. Lieberman, an Independent, still caucuses with Democrats. Collins is a Republican.
Leaders in government and private industry agree on the need for those improvements, but the report says, “they divide over the question of who bears responsibility for that effort.”
That is a key dispute over passage of the bill, which is the Senate version of CISPA (Cyber Intelligence Sharing and Protection Act), recently passed by the House. The Senate version is more popular among privacy advocates because it would give the civilian Homeland Security Administration oversight of information sharing between the public and private sectors, rather than the military’s National Security Agency. But the Senate bill puts heavier, and more costly, regulation, on private business.
[See also: CISPA enjoys wide backing from enterprises]
Original post: Public vs. private cyberattack responsibility debate heats up
