Lawmakers offer divergent views on promoting cybersecurity
Two House lawmakers Wednesday offered divergent views on how the federal government can best promote cybersecurity.
Rep. Zoe Lofgren, D-Calif., expressed support for creating an assistant secretary for cybersecurity at the Department of Homeland Security during a discussion on cybersecurity sponsored by George Mason University's Critical Infrastructure Protection Program. Lofgren, who sponsored a bill, H.R. 285, that would create such a position, said the issue of cyber security within the department "needs to be elevated."
Although House Government Reform Committee Chairman Tom Davis, R-Va., agreed that more must be done by the federal government in the area of cybersecurity, he disagreed that the creation of the assistant secretary post would be the best route to go.
According to Davis, cybersecurity leadership should be centrally located in the White House and the Office of Management and Budget because both "have the juice" when it comes to procurement and throughout the different cabinet departments. He also noted DHS has much to improve in its own computer network system, adding that the department received an "F" grade in the 2004 federal government computer security scorecard, released in February.
Although panelists expressed no preference for either option, they agreed the federal government needs to improve protection of its computer systems. "Do whatever it takes," Business Roundtable Public Policy Director Marian Hopkins said. "The consequences are too dire not to act."
Noting that incidents of cyber crime are directly correlated to market loss, Jody Westby, managing director of PricewaterhouseCoopers, expressed supported companies officially disclosing cybersecurity protections to the Securities and Exchange Commission (SEC).
Davis expressed apprehension at imposing additional reporting requirements. "That's not what the SEC was designed to do," he said. Lofgren said she was concerned that the reporting requirement would provide a roadmap for where companies are not protected, therefore enhancing their risk of attack.
Paul Kurtz, executive director of the Virginia-based Cyber Security Industry Alliance, also disagreed with adding such a reporting requirement, saying that more time should be given to allow companies to abide by the 2002 Sarbanes-Oxley law, which mandates stricter accounting requirements for firms.