The US government needs to create new regulations and incentives to get private companies to protect important cyber infrastructure including the electricity grid, water facilities and financial systems, said the new chairwoman of a US House of Representatives cybersecurity subcommittee.
Representative Yvette Clarke, a New York Democrat, also called for a new national cybersecurity strategy during a Tuesday hearing of the House Homeland Security Committee's cybersecurity subcommittee.
A 2002 strategy from former President George Bush had no teeth to mandate that private companies take actions to protect cybersecurity, she said.
"Unfortunately, that strategy stopped short of mandating security changes," Clarke said. "While the previous administration relied on a voluntary protection system throughout many of the 18 critical infrastructure sectors, I believe administration should seek to use a combination of regulations and incentives to ensure that ... key infrastructures are properly secured."
Clarke didn't offer details of what regulations should be created, but she suggested that current policies have largely been ineffective.
"We find ourselves in an extremely dangerous situation today: Too many vulnerabilities exist on too many critical networks, which are exposed to too many skilled attackers who can inflict too many damages to our systems," she said.
"The previous two decades have seen countless reports from America's thought leaders in cybersecurity, containing hundreds of recommendations about how to improve America's posture in cyberspace. What has been lacking is the courage and leadership to actually implement these recommendations."
A panel of cybersecurity experts offered more recommendations Tuesday, but Clarke found support for regulations from Scott Charney, vice president of trustworthy computing at Microsoft. Limited, "appropriately tailored legislation" may be necessary to get private companies to take the steps necessary to protect US cybersecurity.
US markets "will not pay for the level of security likely necessary to protect national security," Charney said.
Government can create regulations based on industry best practices, while not over-regulating, he said.
While some witnesses and lawmakers were critical of the US Department of Homeland Security's cybersecurity efforts, handing the effort over to the US intelligence community isn't the answer, either, added Amit Yoran, CEO of cybersecurity vendor NetWitness and former director of the DHS National Cyber Security Division.
"There is great peril if this effort is dominated by the intelligence community," Yoran said. "There is a clear and distinct conflict of interest between intelligence objectives and those of system operators."
Intelligence agencies focus on monitoring adversaries, determining their methods and tracking their activities, while system operators want speedy fixes to cybersecurity problems, he said.
Yoran's comments came just days after Rod Beckstrom, director of the US National Cybersecurity Centre, announced his resignation, while complaining about the large role of the National Security Agency (NSA) in cybersecurity.
Microsoft's Charney agreed with Yoran, saying that if lawmakers want the public to trust national cybersecurity efforts, the lead agency shouldn't be the secretive NSA.
Jim Lewis, project director at the think thank the Centre for Strategic and International Studies, called on President Barack Obama's administration to create a cybersecurity office in the White House. Only the White House has the power to pull together all the agencies working on cybersecurity, he said. That was one of the top recommendations in a cybersecurity report issued by CSIS late last year.
"We concluded that only the White House had the authority to bring many large and powerful agencies to follow a common agenda and to coordinate with each other," Lewis said. "A successful approach to cybersecurity blends intelligence, law enforcement, military diplomatic and domestic regulatory functions."
Representative Paul Broun, a Georgia Republican, disagreed, saying the Bush White House wasn't aggressive enough about cybersecurity and he's not sure if Obama will be, either.