The South by Southwest (SXSW) festival starts this weekend in Austin, and in keeping with a trend in recent years, cybersecurity will be one of prevailing themes at the conference. There will be panels on how startups can protect themselves from attacks, tips for innovators trying to stay ahead of cyber criminals, and exhibitions showcasing the latest encryption and privacy technologies. There’s even an entire category of innovation awards devoted to privacy and security startups.
In other words, cybersecurity will have the spotlight this week in Texas’s state capital – but it needs more than that. It needs the spotlight in the nation’s capital, and not for one week, but all year round. Here at the U.S. Chamber, we’re working to ensure cybersecurity gets the attention and urgent action it needs from policymakers, not next year or under the next administration, but right now.
It’s a conversation that can’t wait, because cyber crime isn’t slowing down to wait for the election process to run its course. Last year was another alarmingly successful year for cyber criminals, with conservative estimates putting the global economic toll of cybercrime last year at $375 billion – much of that impacting businesses and consumers here in the United States.
Of course, as the owners and operators of 85 percent of the nation’s critical cyber infrastructure, the private sector holds much of responsibility for mitigating cybersecurity risks, securing their private data and protecting their companies. And that’s part of the reason events like SXSW are so vital, in that they bring industry leaders together to discuss challenges, identify best practices and pursue solutions.
However, because of the potential economic and national security consequences of cyberattacks, the U.S. government has an important role to play in protecting and defending the country’s critical cyber infrastructure. But what exactly does that mean, and what can federal policymakers do right now to help secure America’s cyber networks? Here are three top priorities for Washington.
Help companies share cyber threat data
In a recent IBM study, 55 percent of CEOs said that greater cyber threat information sharing among businesses and government officials was necessary to fight cybercrime, but only 32 percent said that they were willing to share their company’s data. That presents a serious challenge.
Late year, Congress passed and the President signed landmark cybersecurity legislation known as the Cybersecurity Information Sharing Act (CISA), which starts to tackle this issue by giving legal protection to businesses that voluntarily share data on cyberattacks with industry peers and the government.
This has enormous potential to help companies identify and protect themselves against cyber threats, as business leaders can more freely discuss, for instance, the tactics commonly used to gain illicit access to their networks, the vulnerabilities that tend to be exploited, and the indicators that suggest that a network breach or some other type of cyberattack has occurred.
But the job isn’t finished. It’s now important that the Department of Homeland Security and other federal agencies work closely with industry leaders to effectively implement the CISA statute, so that the legislation can have its intended impact. Only with voluntary and flexible guidelines like the ones in the CISA legislation can U.S. businesses better shield themselves from today’s cyber criminals.
Align domestic cybersecurity regulations
Let’s start with a little history, for background. In 2013, President Barack Obama signed executive order 13636, and a year later, he signed the Cybersecurity Enhancement Act. Both instructed federal agencies to remove duplicative and overly burdensome cybersecurity regulations.
Now fast forward to present day. If you are in a regulated industry—health care, automobiles, water and wastewater, financial services, to name a few—you may have instead noticed that federal agencies have been flexing their regulatory muscles lately. That wasn’t the intention. So while we aren’t looking to roll back the current cybersecurity regime, there are overlaps in existing laws and regulations that can be eliminated. That’s something our nation’s leaders should address sooner rather than later.
Keep cybersecurity collaborative, voluntary and innovative
Most experts agree that regulations cannot possibly keep pace with cyber criminals. In fact, even attempting to do keep pace on their own would probably lead to “check-the-box” security mandates that are costly, time-consuming, and ultimately ineffective.
The development of the National Institute of Science and Technology’s cybersecurity framework (essentially a set of guidelines to help businesses start a cybersecurity program or improve an existing one) exemplifies the collaborative and innovative approach that best promotes effective cyber risk management. We will continue to urge today’s (and future) policymakers to ensure that regulations are compatible with NIST’s voluntary, risk-based approach to the framework.
Succinctly put, Washington’s policymakers can collect and share more cyber threat data with industry, reduce onerous regulations, and maintain a voluntary approach to cybersecurity. When paired with the efforts of innovators and the technology community – which will be on full display this week in Austin – these actions by our nation’s leaders will help protect U.S. businesses and the American public.
We’re live from Austin, Texas this week. Check out the latest SXSW coverage on technology, entrepreneurship and public policy by heading over to the Above the Fold SXSW homepage.