Businesses need key policies to succeed in a world of modern cyber threats
The U.S. Chamber of Commerce announced a series of cybersecurity policy priorities in an effort address security challenges facing businesses. Key security-related policies that the Chamber seeks to advance this year are highlighted in the plan. “When networks are secure, businesses have a better chance to succeed,” says Ann Beauchesne, senior vice president for National Security and Emergency Preparedness at the U.S. Chamber. “Through awareness, education, and public-private partnerships, we can turn cyber challenges into opportunities to innovate, create jobs, and grow the economy.”
A number of the recommendations are relevant to security and identity industry professionals.
Advocating for the cybersecurity Framework and supporting small businesses
The Chamber urges the administration to support the NIST Framework for Improving Critical Infrastructure Cybersecurity. They suggest that the federal government support efforts to help private enterprises manage cyber supply chain risks and consider ways to help small businesses and state and local governments use the NIST framework.
Leveraging cyber threat information and incident data
Cyber information sharing is an important method of protecting systems and the Cybersecurity Information Sharing Act of 2015 (CISA) is a strong document according to the Chamber.
They also commend the Commission on Enhancing National Cybersecurity’s push to create “reverse Miranda protections” so businesses can freely discuss cyber attacks without fear that regulators would use the information against them with respect to liability.
Further, the Chamber endorses piloting a cyber incident data and analysis repository (CIDAR). An experimental CIDAR, initially administered by the Department of Homeland Security (DHS), can offer tangible upsides to U.S. cybersecurity, including helping insurers develop cyber coverage and best practices for their customers.
Protecting the Internet of Things (IoT) and increasing businesses’ gains
The business community should lead the development of secure IoT components that can be used in settings such as manufacturing, transportation, energy, and health care.
Embedding cybersecurity in global, industry-driven standards and fixing Wassenaar
The Chamber recommends a global approach to cybersecurity standards and best practices to avoid burdening multinational enterprises with the requirements of multiple, and often conflicting, jurisdictions. They also suggest addressing burdensome “intrusion software” provisions that were added in 2013 to the Wassenaar Arrangement’s list of dual-use goods and technologies subject to export control. The current provisions are seen as harmful to cybersecurity efforts.
Clarifying Federal and industry roles and responsibilities and getting government resources right
It is constructive that the Commission on Enhancing National Cybersecurity called for continued work on clarifying the roles and responsibilities of the public and private sectors. On paper, the Department of Justice and the FBI investigate and prosecute cybercrimes; Department of Homeland Security leads the protection of critical infrastructure; Department of Defense defends the nation from major attacks that are synonymous with acts of war. It’s not clear to the Chamber that the three groupings have the resources and the interagency coordination needed to excel in the duties policymakers assigned to them.
Federal agencies should lead by example on improving U.S. cybersecurity. In the last Congress, the Chamber supported the Modernizing Government Technology Act of 2016. Many parts of the federal government’s IT infrastructure are woefully outdated. The Act authorized two IT funding streams to improve, retire, or replace current systems.
- Many companies tell us that they remain uncertain when their obligations to guard their enterprises from a cyber incident end—particularly in the wake of a nation-state attack—and the government’s assistance begins. The process for handing off the cyber baton warrants deeper discussion, comprehension, and exercise.
- Future congressional legislation and the fiscal 2018 budget process give stakeholders the opportunity to better sync missions of the DOJ/FBI, DHS, and the DoD with the resources allotted to them.
Writing a new cybersecurity strategy that features business input and negotiating toward acceptable behaviors in cyberspace
The U.S. cybersecurity strategy is seemingly uncertain both to many in the private sector and our adversaries. America’s approach to cyber is at an inflection point. Industry is frequently the first to bear the brunt of cyber attacks coming from our nation’s adversaries, and public policy should be adjusted accordingly.
- Policymakers should discuss the United States’ cyber strategy with the business community before, during, and after the strategy is written.
- A strategic priority should be to increasingly deny our opponents’ ability to conduct harmful cyber activity against the business community and the nation.
- Public-private policymaking needs to spotlight increasing adherence to international norms and deterrence. U.S. deterrence policy has so far prevented cyber attacks that may cross the line into armed conflict. But our national deterrence deficit lies in our struggle to stymie attacks by criminal groups and foreign powers that fall into the malicious middle of the attack spectrum.