Cybersecurity legislation supported by the likes of Senators Joe Lieberman of Connecticut and Susan Collins of Maine would create a regulatory environment that essentially would require businesses to pick up the majority of the cost for defending against ever increasing threats.
A great deal of cyber espionage is directed at private companies who have a wealth of sensitive information and intellectual property worth tens of billions to foreign governments and represents a national security issue both militarily and economically.
"Let's fast forward to the 21st century. We're an information-based society now. Information is everything. That makes you, as company executives, the front line — not the support mechanism, the front line," said U.S. counterintelligence official Frank Montoya.
The question is, who should ultimately be responsible for picking up the tremendous costs involved with securing critical data maintained by the private sector?
While private sector leaders like Internet Security Alliance president Larry Clinton acknowledge that companies have a responsibility to protect critical systems and data in order to satisfy their obligations to shareholders, the notion that businesses can allocate unlimited resources at the expense of those same shareholders is not feasible.
Clinton and other experts were interviewed on National Public Radio’s “Morning Edition” on Tuesday, May 8th.
"The legally mandated role of the government is to provide for the common defense, and they're willing to spend pretty much whatever it takes to do that. If you're in a private organization, your legally mandated responsibility is to maximize shareholder value. You can't spend just anything on the cyberthreat. You have an entirely different calculus that you have to put into effect," Clinton explained.
Clinton argues that mandating companies to pick up the bill for defending what is really a national security threat puts an unsustainable burden on businesses.
"If the government was interested in paying the private sector to do all these things, probably we would go a long way toward doing it. But the government so far, [with] the Lieberman-Collins bill, wants it all done for free. They want the businesses to simply plow that into their profit and loss statement, and the numbers are staggering. You simply can't do it," Clinton said.
Clinton has led ISA since 2007, and is frequently called upon to offer expert testimony and guidance to Congress, the White House, and numerous Federal Agencies on policy and legislative efforts.
The Internet Security Alliance (ISA) is a unique multi-sector trade association which provides thought leadership and strong public policy advocacy as well as business and technical services to its membership.
The ISA represents enterprises from the aviation, banking, communications, defense, education, financial services, insurance, manufacturing, security, and technology industries.
Clinton believes the current legislation under consideration is far too punitive in nature, and would disincentivize companies from both investing in better security measures and from disclosing data loss events, as well as creating a regulatory and bureaucratic nightmare.
"The major concern is the vast regulatory structure that would be set up at the Department of Homeland Security," says Larry Clinton.
Clinton maintains that the best approach for both the public and private sectors is to devise a cyber defense strategy that does not unfairly burdon companies with unsustainable costs through regulatory mandates.
"Whether we like it or not, we are going to have to figure out a way to get private companies to make, on a sustainable basis, investments that are not justified by their business plans. Simply telling them, 'You have to ignore your business plan,' is not a sustainable model. We have to find a way to make it economic," Clinton continued.