In the wake of multiple high-profile security breaches that have impacted huge swaths of the American public, lawmakers are still trying to figure out how to legislate cybersecurity.
While meaningful legislation may not be in the immediate future, at least one congressman believes there are ways lawmakers can improve cybersecurity, particularly in the civilian federal government.
The first: Institute a serious stress test for the National Institute of Standards and Technology’s cybersecurity framework, a de facto standard for federal cybersecurity used across agencies.
“Does the NIST framework process provide adequate cybersecurity that we in the Senate can simply rely on and not have to engage?” Sen. Sheldon Whitehouse said Nov. 28 at the CyberCon 2017 conference in Arlington, Virginia.
“All of us have had the experience of working together on something and coming away happy with the process because it’s so undemanding and easy to get along with versus being happy with the process because it is in fact, although demanding, providing serious cybersecurity to America’s infrastructure. I don’t think we know the answer to that question.”
A second possibility for Congress to aid federal cybersecurity is establishing a sort of “a roving inspector general focused on cybersecurity with white hat penetration authority.” Duties of that role could include targeting federal networks and monitoring for vulnerabilities at agencies.
Theoretically that role would help prevent the kind of breach seen at the Office of Personnel Management in 2015, “before all of our records got co-opted by the Chinese for OPM … that was something we should have realized,” Whitehouse said.
“We can’t expect requisite expertise to do this well be spread across 73 different inspectors general. So call it an inspector general, call it a special investigator, call it a GAO group — I care less about where it’s located than the fact that someone has to have the job actually testing whether what agencies say about their cybersecurity is really true. We don’t have that effectively now.”
The third potential area for Congress to pitch in on cybersecurity: public awareness. Whitehouse said he doesn’t believe the American public is acutely aware of cybersecurity dangers, partly because the chief players being targeted — private industry and the —government — each have their own reasons for masking the problem.
“If you’re a private corporation that just got hacked to bits you don’t want competitors [or possibly even] shareholders to know … so there’s not a lot of good information coming out,” Whitehouse said. “On the government side we are demons for classifying stuff; we overclassify like fiends and the result is it’s very hard to get government reports out as good as, say, the McAfee Red Dragon report.”
Perhaps, he suggested, the answer to that problem is a designated government spokesperson of sorts dedicated to sharing such information.
“We need a ‘discloser in chief’ or a ‘storyteller in chief’ — somebody who has the authority to declassify so they can actually negotiate with the principals and have authority at the table,” Whitehouse said.
“And their job should be every quarter or every six months to tell the story of what happened in the last quarter … you can say, ‘This is what kind of problem we had in the electric utility grid,’ and you can work through the process of making sure that what should be classified stays classified.”
Whitehouse additionally advocated for an international “coalition of the willing” that eschews nations going cyber-rogue, instead building consensus among partner nations to establish global cyber norms and standards.
“Start with Five Eyes, bring in other countries that are amenable and grow from there,” he said. “I don’t think the Russians or Chinese will ever negotiate in good faith, so why bother? Set terms for the rest of the world and they’ll begin to comply.”