As cyber threats grow more advanced and pervasive, lawmakers and industry leaders are considering ways to shift cybersecurity burdens from victims to software providers, while at the same time deepening public-private partnerships to counter national security risks.
Industry leaders representing some of the country’s largest technology and cybersecurity companies testified about those strategies at a May 28 field hearing held by the House Homeland Security Committee on Wednesday at the Hoover Institute at Stanford, Calif.
Witnesses said that the current cybersecurity policy climate works to punish cybercrime victims – particularly small businesses, hospitals, and schools – by leaving them outmatched by sophisticated threat actors.
“[During a bank robbery] we oftentimes don’t … blame the bank for having an armed robber come in at gunpoint and a teller provide them some funds that are in their tray,” said Wendi Whitmore, chief security intelligence officer at Palo Alto Networks.
“We do often do that [to cybercrime victims], and then we add regulation in that requires them to provide information in this most dynamic time period … so you have a victim who is now potentially trying to negotiate or have communications with an attacker,” she continued.
Jack Cable, the chief executive officer and co-founder of Corridor, joined Whitmore in advocating for holding software vendors accountable for preventable vulnerabilities through liability measures and shifting incentives toward secure-by-design practices, while also increasing victims’ access to Federal assistance.
Responding to a question from committee Chairman Mark Green, R-Tenn., Jeanette Manfra, global director for security and compliance at Google Cloud, recommended against criminalizing ransomware payments by hacking victims.
“It’s just such a complicated space right now, and you run into scenarios where you potentially have life and safety issues without that payment,” said Manfra. She instead suggested raising the baseline of security across all sectors by fixing known vulnerabilities and developing a new kind of public-private partnership to address high-level national threats.
“There are unique national risks that impact certain sectors more than others and require a different set of capabilities,” said Manfra. “[The partnership could be] a smaller set of actors that have capabilities in the private sector and the government coming together to identify what is the threat.”
Rep. Green agreed with some of the witness testimony, and said better security will depend on moving away from traditional divides between the public and private sectors despite them sharing increasingly interconnected digital infrastructure.
“We [have] pushed very hard about having a sovereign border that needs to be protected and … if China were physically driving tanks across the southern border, that’s exactly what the Federal government would do to defend against that,” said Rep. Green. “But I would submit there is a cyber border that’s just as sovereign, and we can’t expect companies to defend themselves.”
Rep. Andrew Garbarino, R-N.Y., chair of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, voiced similar support for the secure-by-design movement, while also noting that manufacturers can’t bear total responsibility.
“You can hold a company [responsible] for its design … but at some point, the balance tips and goes to … people [automatically thinking], ‘Okay, this is secure, I can just do whatever I want,’ … there still has to be some reliance on the individual,” said the congressman.
Other suggestions from witnesses included the need for Federal incentives to push vendors toward stronger security, while also employing consistent standards and urging greater transparency for consumers.
“Cybersecurity regulations and requirements are almost always placed on the end users of technology products,” said Cable while recommending that Congress steer Federal government purchasing power to drive new standards. “I think we need to look at, okay, how can we help shift some of those requirements off of those least responsible … so that they are placed on the software manufacturers who are … in the best position to bear that.”