The top counterterrorism official at the Homeland Security Department on Tuesday called on businesses to cooperate more with government when hit by hackers.
“Let’s face it — cybersecurity primarily is a civilian space — it is used mostly by businesses, but it is tied closely to national security,” said Rand Beers, undersecretary for the National Protection and Programs Directorate, during a conference in Washington sponsored by antivirus company Symantec. “This requires us to share information both within government, between governments and with the private sector. It needs to be a two-way street.”
The White House in May presented Congress with 52 pages of legislative text that would subject private networks to more regulation. The proposal details the role DHS would play in ensuring businesses that operate networks that sustain life-critical infrastructure — power, water treatment and financial services — are meeting security standards.
But some businesses are critical of plans to step up oversight of commercial networks, while some military proponents say the National Security Agency, the Pentagon’s cyber arm, should take the lead on network defense. Beers said the proposal would solidify the role of DHS as head of cybersecurity operations governmentwide and as adviser to the private sector on network protection.
He stressed that companies largely would be left to their own devices to safeguard systems. “Together with industry, DHS will identify the [most critical] infrastructure and then DHS will specify the risks that industries need to mitigate through a public rule-making process,” he said. Businesses then would be allowed to develop risk-mitigation plans that meet their needs. “It is industry, not government, that will provide the solutions under this proposal,” Beers added.
And he noted that the government will not punish companies for disobeying the rules. “Instead of fines or penalties, DHS will use transparency,” by disclosing the names of firms that are not up to par, “and market forces to incentivize compliance with this regime,” Beers said. Any information published about noncompliant companies would be limited to very general descriptions so as not to reveal vulnerabilities, he said.