Cybersecurity enforcement plan could backfire, Sen Collins warns

A key lawmaker assessing a White House bill to strengthen cybersecurity warned that the proposal's plan for policing critical commercial networks -- by disclosing audits of their security practices -- could inadvertently steer US adversaries to vulnerable targets.

"The evaluation of that [company's security] plan would be publicly accessible," Sen. Susan Collins (R-Maine), ranking member of the Homeland Security and Governmental Affairs Committee, said at a hearing. "We don't want to give those that would do us harm a roadmap on to how to attack our critical infrastructure."
The panel's chairman, Joe Lieberman (I-CT), and Sen Collins -- despite her criticism -- have introduced wide-ranging cyber legislation that largely dovetails with the executive branch's ideas. One of the exceptions is the regulation of critical infrastructure systems, or networks such as power grids that, if attacked, could devastate the economy or harm public safety. The private sector operates the majority of such cyberspace services.

The Administration's proposal takes the light-handed approach of publicly naming companies that fail in independent inspections of their network protections -- instead of shutting down their networks or fining them.

"The biggest lever here would be transparency," said Philip Reitinger, the top cybersecurity policy official at the Homeland Security Department. He stressed that the purpose of the openness is not just to shame companies into compliance, but also to let the financial markets and customers take into account a firm's privacy and security protections.

Added Ari Schwartz, senior Internet policy adviser for the National Institute of Standards and Technology, "If they do it deadly wrong, you're going to have brand impact potentially." The White House text also offers a carrot: Companies with stellar cyber records could be given preference in competitions for federal business contracts.