The head of the agency responsible for promoting economic growth acknowledged Tuesday that the Obama administration has an “adversarial” relationship with the private sector, saying companies fear that “even basic interactions” could lead to retribution from the feds.
The remarks were made in the context of a speech on cybersecurity delivered before the Chamber of Commerce by Secretary of Commerce Penny Pritzker. “Put simply: the federal government cannot regulate cyberrisk out of existence. What we can do is work with … business leaders, technical experts, and cybersecurity professionals to better manage cyberrisk,” Pritzker said.
Pritzker said the federal government needed to adopt a “joint-defense posture” on cybersecurity with the private sector, but that companies were inclined against working with the federal government due to fear. “The problem is that relationships between regulators and the businesses they regulate are inherently adversarial, not collaborative.
“Pick any cyberbreach,” Pritzker said. “Target, Sony, Yahoo. When under attack, these companies do not think about how government can help them. What they see are the downsides of engagement: potential liability, the risk of punitive action, and the investigations that may result from even basic interactions, like reporting an intrusion to the FBI.”
Target lost credit card information on 40 million customers in a 2013 breach, and agreed last year to pay as much as $10 million in total reimbursement to victims. Sony was prominently breached in 2014 by hackers linked to North Korea, while Yahoo lost information on 500 million accounts in a 2014 breach announced last week.
Yahoo disclosed the massive breach, which potentially affects more victims than any in history, only after hackers surfaced on the “dark web” offering to sell the information for as little as $1,800. Legal analysts have noted the failure to disclose in a timely manner could expose the company to even more liability. The company claims it can link the breach to a state actor, similar to the attack on Sony.
Pritzker said she could empathize with the reticence of private companies to seek help from the feds in defending against foreign governments. “As someone who spent 27 years building businesses, I get it. We cannot blame executives for worrying that what starts today as an honest conversation about a cyberattack could end tomorrow in a ‘punish the victim’ regulatory enforcement action.
Related Story: http://www.washingtonexaminer.com/article/2594063
“When companies under attack by hostile nations fear coming to their government for help, something is wrong,” Pritzker added. “We must change the value proposition for businesses to engage with government before, during, and after cyberattacks.”
Pritzker said the solution could be a “reverse Miranda” protection when it comes to disclosing breaches. “In other words: nothing you say in this setting will be used against you.”
Pritzker insisted the administration was making progress toward that framework. “Don’t get me wrong,” she said. “We must protect consumers and hold industry to high standards. But we also need a real team effort… Trust is the linchpin of the digital economy. Failure to cultivate that trust will not only leave us vulnerable to attacks on critical infrastructure, but risk slowing the pace of American innovation.”
