Patrick Gallagher, heading up the National Institute of Standards and Technology's efforts to develop voluntary cybersecurity standards for critical infrastructure in concert with industry, told the Senate Thursday (July 25) that there are three reasons why the standards will have to have private industry buy-in, and added that if they don't, then Congress will have to decide what to do next given the national interest in protecting critical infrastructure. Gallagher said he thought industry would "come up with something that is quite effective."
Those three reasons are that 1) the industry has the knowhow and capacity and the process will only be "agile" if industry embraces it; 2) industry participation provides the best chance that those standards are compatible with business (the goal is to put the voluntary standards, so sitting on the shelf is not an option); and 3) that is the only way to scale the standards internationally.
That was Gallagher's message to the Senate Commerce Committee, which held an oversight hearing Thursday on NIST's progress on working with industry on a standard.
Ranking member John Thune (R-S.D.) said that industry reaction to the multistakeholder process was generally positive, "so far."
Dorothy Coleman, representing the National Association of Manufacturers, said the standards would have to be voluntary, industry led and that it must remain a nonregulatory approach.
But Committee Chairman Jay Rockefeller (D-W. Va.) asked Gallagher what would happen if industry did not adopt voluntary standards.
Gallagher did not mince words, suggesting that is where Congress might have to step in. He pointed out that what was at issue was a set of private sector activities that, if they fail, would have catastrophic impact on the country--the definition of critical infrastructure.
He said there was clearly a national interest in that not happening. "This has got to work," he said. If not, he said, Congress will have to address what happens next given that national impact and interest.
Rockefeller and Thune have just introduced a cybersecurity bill that would put Congress' imprimatur on the NIST standards effort, which was launched at the directive of the President in an executive order.
That bill, which would also boost cybersecurity research and training and cyberthreat education, was generally praised by the hearing witnesses.