Cyber crime official optimistic on new legislation
The Obama administration's top cyber security official says companies would not be unduly burdened by a Senate bill that would phase in security standards for key parts of the country's privately held infrastructure. The administration has been pushing to enact such legislation, and in an interview with Reuters, White House cyber security policy coordinator Howard Schmidt said the law would apply only to the most vital companies, and that many of them would already be in compliance.
After testimony underscored rising concern about Internet vulnerabilities in the electric grid, at financial companies and elsewhere, the Senate bill supported by Democratic Majority Leader Harry Reid would let the Department of Homeland Security levy fines on crucial companies that fail to follow safe technology practices.
Schmidt also said the federal government did not plan to give any direct financial support to companies that come under attacks from other countries, arguing that they need to address the issue on their own as another business risk.
The push comes as Congress gears up for debate on the issue. A Republican-led alternative plan in the House that eschews new regulation in favor of increased sharing of information about cyber threats is slated to reach the floor next week. Serious divisions between the two approaches remain, and the election cycle threatens to derail even bipartisan bills.
Following is a partial transcript of the interview, conducted Thursday before Schmidt spoke at the Chicago Council on Global Affairs.
Q: On the legislation, how optimistic are you now versus a few months ago that something serious gets done?
A: I'm always optimistic, because in all the proposed legislation, there's a clear recognition that we need to do something, particularly to make the core critical infrastructure more resilient. We have to make sure it is a whole-government approach. We have to make sure it's a partnership.
Q: Other people I've spoken to who are close to the White House aren't wildly optimistic. The Chamber of Commerce and some trade groups seem basically opposed to more regulation, so how do you overcome that argument?
A: By having people fully understand what it is we're trying to accomplish and what the real impact of it is. Look at the idea of what we term "core critical infrastructure." That's not every piece of critical infrastructure out there. We want to identify, working with the private sector, what are those things that are really core? Secondly, what are the industrial standards we can work with, to make sure they apply? Those that are already doing it, it's not a big reach for them. Those that are already working toward it, it should not be a big reach either. For those that are not quite sure what to do, this gives us a platform across the industry and government to understand what needs to be done.
Q: Does the federal government have to share more of the cost burden than is currently enshrined in the proposals?
A: When you look at any structural threats against companies and/or infrastructure, the federal government has a unique visibility into intelligence and law enforcement issues. That goes to the information-sharing piece that gives companies the ability to protect themselves in a lot of aspects.
But we also recognize that there is a business imperative to do it. So when you start talking about government finances and who is going to pay for it, first and foremost businesses have to build this into their risk matrix, just as they do in the physical world. The role of government is to help facilitate that but not pay into businesses for them to do what they need to be doing from a business perspective anyway.
Q: Former Deputy Defense Secretary William Lynn said yesterday that
China is doing so much stealing over the Internet that "trade sanctions and diplomatic approaches are probably not enough" to deal with it. What does that leave?
A: I'm not going to talk about any specific country, but I will talk about the International Strategy for Cyberspace that the president released last May. That covers freedom of expression, freedom of speech, Internet freedoms, Internet governance, the rule of law, and defense. When we look at our international relationships, it's more about looking at the commonalities we have with other countries. We have to develop some norms, make sure each country is doing what it can to reduce the likelihood of the theft of intellectual property, credit card fraud, identity theft, nation-state actions against each other. As laid out in our international strategy, we want to invite other countries to be part of a bigger partnership rather than have one country looking for an advantage over another.
Q: The Department of Defense recently stepped up its cyber-weapons acquisition so it can react more quickly. I have the impression that things are already happening that, if they aren't war-like, are at least unwelcome in countries where we are taking action. But we may not know about that, ever, whereas if we bomb a place people find out. Are there going to be lots of future conflicts where there isn't that much oversight or even awareness of what's happening?
A: The focus continues to be building systems that can resist any threats that are out there as well as defending our networks and our friends and businesses around the world. Anything else beyond that is just stuff we're not going to be talking about, because it takes the focus away from what we need to be doing.
Q: Shawn Henry, the departing head of the FBI's cyber effort, said on the way out the door that we are losing. Do you agree, and what do we do about it?
A: On cyber crime, we've always had an issue, as we have with other types of crime, which is there is oftentimes more than we can handle as law enforcement. It just doesn't scale.
The issue is how we get other countries, whether they are part of the European Convention on Cybercrime already, or they are just creating their own laws around this, to do better international cooperation.
Q: There are still some countries that give us pretty poor cooperation. There are places where we have been `about to turn a corner' for a decade or more.
A: There are cases the FBI and Secret Service have made in the past year that a few years back we would never have had cooperation on. We continue to chip away at those who commit cyber crimes.