Witnesses from the FCC, the Department of Homeland Security
and the National Telecommunications & Information Administration told a
Congressional panel Wednesday that they thought the Department of Homeland
Security should be involved in helping set cybersecurity performance standards
for critical infrastructure, but that the voluntary industry cybersecurity
codes of conduct agreed to by major cable ISPs last week should not be enforced
by FCC rules.
That came in the latest in what has become a parade of
cybersecurity hearings on the Hill, which continued Wednesday with the
Communications Subcommittees' third hearing on the topic, this one focusing on
public sector responses.
In general, Republicans said the government should encourage
voluntary industry standards and not insert itself in a way that would reduce
private industry's flexibility in responding to threats. Democrats on the panel
gave a shout-out to those ISP efforts, but suggested that the government also
needed a way to ensure accountability to those voluntary standards.
Rep. Henry Waxman (D-Calif.) made the strongest case for
stronger government involvement. He suggested that reliance solely on voluntary
efforts might not be sufficient, say, dealing with a company that was less
diligent in its best practices and caused a cyber-breach to critical
infrastructure.
He said that if industry wants exemptions from antitrust and
other consumer laws in order to share info with the government -- it does -- then
it should be willing to be held accountable for not abusing that freedom.
Admiral Jamie Barnett, who heads the FCC's Public Safety and
Homeland Security Bureau repeatedly emphasized that voluntary and industry-led
cybersecurity approaches were the best, but also said that there needed to be
"metrics" to test whether those were actually working. If industry
efforts alone were enough, he suggested, there wouldn't be a need for a
hearing. He said government's role should be to lend its expertise, and then
verify that voluntary approaches were working.
He gave a shout-out to the nine ISPs, which include Comcast,
Cox, Time Warner Cable, and CenturyLink, who have agreed to adopt the
FCC-proposed codes of conduct on botnets, domain name security and route
hijacking (malicious redirection of internet traffic).
Rep. John Dingell (D-Mich.) asked how many ISPs there were.
Barnett responded probably thousands including smaller cable operators. Dingell
made a point of that seeming to be a small number, but Barnett countered that
those represented about 80% of the ISP customers and said he thought that was
pretty good out of the gait.
He also assured Dingell that the FCC was working on the
other 20%, including talking with the American Cable Association about the
challenges, economically and otherwise, to adopting the codes. He said the
codes were intentionally flexible in terms of how to meet them and the timeframe,
and that the bureau's industry/government Communications Security, Reliability
and Interoperability Council (CSRIC), which voted unanimously to approve the
codes, would next turn to the issue of how the obstacles to their adoption.
In a tweet, ACA President Matthew Polka confirmed the talks.
"This is important work and we look forward to participating," he
said.
Subcommittee Chairman Greg Walden characterized some of the
testimony as disturbing, then even more disturbing as witnesses talked about
the threats. They included an attack on the Department of Commerce's Economic
Development Administration that took the network down for several weeks and
counting. It also included this sobering assessment from Bob Hutchinson, of
Sandia National Laboratories, a government-funded national research lab:
"The most important lesson I have learned in my career is that computer
systems can never be fully trusted, can never be proven free of compromise, so
we must focus on finding ways to conduct business, even critical business, on
machines that are presumed to be infected," he said.
Rep. Marsha Blackburn (R-Tenn.) on Tuesday introduced a
House companion to a Republican-backed Senate cybersecurity bill, one that
would not have DHS enforce performance standards. She said at the hearing that
the bill focuses on information sharing, increased penalties for cyber
criminals and coordinating federal research.
