Senator John D. Rockefeller
Chairman Senate Committee on Commerce, Science, and Transportation
Dear Senator Rockefeller:
I am in receipt of your letter dated September 19, 2012, that expresses your disappointment in not being able to pass the Cybersecurity Act of 2012. You voiced your confusion over what you claim are views expressed by various business lobbying efforts to kill the bill. I hope my answers to your eight questions below will help.
You addressed your question to the CEOs of the 500 largest businesses in the United States. While I do not represent any of them I have worked with most of them over the last 15 years to develop what you term “cybersecurity best practices” and responses to the continuous onslaught they have been fending off. Perhaps I can give voice to their perspective that will clarify matters.
1. Has your company adopted a set of best practices to address its own cybersecurity needs?
Yes we have. We have a large IT security staff overseen by a Chief Information Security Officer who works to identify and implement best practices.
2. If so, how were these cybersecurity practices developed?
These best practices were developed in the crucible of day to day operations and in response to the hostile environment that would make most computers, data, and communications unworkable if they were not in place.
3. Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institutions, associations, or entity that developed them.
We have studied and borrowed from the best practices of many organizations. Our outside auditors (PwC, Deloitte, E&Y) have required that we adopt best practices and regularly check to ensure that we continue to do so. We participate in many organizations to ensure we learn from and contribute to the body of knowledge. These include SANS, ISACA, ISC(2), ISO, OWASP, and the Cloud Security Alliance. We rely on the IT security industry, comprised of over 3,000 product vendors and service providers, to provide us with the defensive tools to manage the ever evolving threat.
4. When were the cyber security practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
We created the office of the Chief Information Security Officer beginning in 1995 with the appointment of Steve Katz at Citi Corp, the very first CISO. By 2003 just about every business had appointed a person to oversee best practices and implementation of security defenses. This is a step we are still waiting for the federal government to take. Our board and audit committee gets regular updates on our security posture, the cyber threats we face, and the investments that are needed to ensure that we stay in business.
5. Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?
Not directly, but the work of NIST to establish standards of security has been very helpful. The federal government has also served to distract our IT security teams as numerous bills have required an onerous documentation and reporting regime to comply with Sarbanes Oxley and HIPPA, while failing to pass legislation that addresses the morass of state breach disclosure laws we have to comply with.
6. What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
We are in a constant battle against malware, cybercrime, and nation state espionage. Creating a new department to engage in such an exercise would be expensive and distract us from our current efforts to find, hire, and retain the skilled security people we need as the threat rises, the methodologies of the attackers gain in sophistication, and the targets of their attacks expand to all of our intellectual property.
We have engaged in such a voluntary program already, Infragard. While we appreciate the connection to the FBI this has provided, the sharing of information with the government has been mostly one way. We also already engage with the Information Sharing and Analysis Center for our industry segment. Some of the 16 ISACs are having more impact than others, the Financial Services ISAC, in particular, is proving to be very effective. Why is an Act required at all, when we already share threat intelligence and best practices?
A key component of our cybersecurity best practices is the extension of trust through IT security controls and audits to our key vendors, suppliers, and partners. We require them to comply with our best practices. Is the federal government able to comply with our requirements for strong authentication, file encryption, vulnerability and patch management, and privileged user controls? Would a government agency that received our information be able to ensure its security?
We are also not comfortable with violating our own privacy agreements with our customers to share information with the federal government. Also, what information about our operations will be “shared” by our telecom provider or bank? What oversight regime will ensure the confidentiality of the information and prevent its misuse?
7. What are your concerns, if any, with the federal government conducting risk assessments, in coordination with private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?
Our primary concern is that so called “risk-assessments” are a very old methodology that relies on asset identification and classification. IT assets in particular are fluid and even identifying them is a Sisyphean task. The idea of a federal risk assessment of the private sector is daunting, especially when the federal government has not been able to perform such an assessment of its own risks.
The best way to understand the problems with risk based approaches is via metaphor. Does the President receive a daily briefing that walks through all of the assets and vulnerabilities of every US facility in the world? Or is he presented with a breakdown of the threat from various nations and non-nation actors? The latter is what is termed threat based security methodology and is what most business are in the process of evolving to today. The Cybersecurity Act of 2012 is an example of how legislation, especially in high technology, cannot keep up with current thinking and methodologies.
8. What are your concerns,if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?
Our concern is that another year of pondering vulnerability will not get us any closer to a more resilient and defensible cyber infrastructure. We already know that water, power, and communications are critical. The Cybersecurity Act of 2012 does absolutely nothing to reduce vulnerability, encourage best practices, or delay the moment when criticality will be demonstrated by a cyber attack that shuts them down.
Senator, I would suggest that, like in many matters involving science and technology, that the scientists and technologists should be brought into future deliberations on cyber legislation. Fiascoes like the failed SOPA act can be easily avoided if the right conversations are held with the right stake holders. The technologists that make the Internet operate and the security experts that are battling to defend it need to be brought to the table in order to form better policy.
The Senior Fellow
The International Cybersecurity Dialogue