Companies that control key infrastructure have so far remained largely free of regulations to ensure that their information technology systems are secure. But policy-makers appear to be in the early stages of considering such rules.
Exhibit A: Legislation that would require the Department of Homeland Security to study an assortment of regulations was adopted this week by a House subcommittee. The bill allocates funds for research into, among other things, the efficacy of (1) "mandated reporting of security breaches" that threaten critical infrastructure; (2) "regulation that imposes, under threat of civil penalty, best practices" on operators of critical infrastructure; and (3) "accounting practices that require companies to report their cybersecurity practices and postures and the results of independently conducted 'red-team' simulated attacks or exercises."
Exhibit B: The "Rockefeller-Snowe Cybersecurity Act" introduced this week would require the president and critical infrastructure industries to develop cybersecurity best practices, which the companies would be expected to follow. Independent audits would be conducted, and companies that fell short would have "to work collaboratively with the government and private sector colleagues within their critical infrastructure sector (via existing sector coordinating councils) to develop and implement a collaborative remediation plan."
Exhibit C: The FCC's national broadband plan unveiled this week proposes expanding network outage reporting rules that now apply only to traditional telephone service. The FCC would like the rules to apply to all broadband network services. The FCC also proposed a "voluntary cybersecurity certification program" for businesses.
None of the above examples present major challenges for the private sector. In fact, several industry associations have successfully steered Congress and the FCC away from regulatory solutions for cybersecurity. But policy-makers like to create rules, and they're still learning about cybersecurity. -- TL
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment