Commerce Secretary Penny Pritzker recently delivered a message on cybersecurity that industry is desperate to hear — and to hear repeated as often as possible: “We cannot regulate cyber risk out of existence.”
“The government alone cannot secure our digital economy,” Pritzker said, while noting that “cyber remains the only domain where we ask the private sector” to defend against Russia, China, Iran, terrorists and any other bad actor.
“Does that sound as crazy to you as it does to me?” Pritzker asked an appreciative audience at the U.S. Chamber of Commerce’s annual cybersecurity summit on Sept. 27.
And, she said, regulation wasn’t the answer. What’s needed is “dynamic risk management,” developed by industry with government in a supporting role.
Instead, she said, industry was seeing more regulation and more chances for litigation.
Pritzker called for “a setting based on partnership, not punitive enforcement threats.”
This was the speech that the telecom industry had been hoping to hear from Federal Communications Commission Chairman Thomas Wheeler in 2014. Instead, Wheeler praised voluntary industry efforts while adding that regulation would swiftly follow if industry slacked off.
Defense contractors, the financial sector and others all have been expressing concern, at least over the past year, that officials are mouthing the words about respecting an industry-based approach to cyber, but in reality are itching to regulate.
Pritzker left out the threats and drew an enthusiastic response from her audience.
The overall message from a full day of presentations at the U.S. Chamber was avoid regulation, use the voluntary National Institute of Standards and Technology’s framework of cyber standards, and please participate in cyber information sharing.
The speakers may have been preaching to the choir, but there is a concerted campaign underway to leave a fully formed cyber policy in place for the next administration,.
Former House Intelligence Chairman Mike Rogers, R-Mich., retired Gen. Michael Hayden, the former National Security Agency and CIA director, and former NSA Deputy Director Chris Inglis all amplified that message at the U.S. Chamber event.
Rogers offered three, industry-friendly steps the new administration could quickly embrace for “short-term wins” in cyberspace.
He called for announcing a “whole of government” cyber strategy that spells out policies and roles — including a reinvigorated role for the NSA. “Put your best players on the field,” Rogers said, arguing that the entire country should take a “giant Alka Seltzer to get over the cyber policy hangover left by the Snowden affair.
The new administration should also announce an aggressive new policy on naming the villains in cyberattacks, especially when nation-states are behind them.
This would have a major, tangible benefit for industry, Rogers said. It would “change the dynamics” related to liability and help mitigate industry’s costs, he suggested.
And Rogers called for a “private sector-led certification” program that attests to companies’ cyber efforts but isn’t run by the government.
All three steps could be announced in the first 100 days of the new administration, Rogers said.
Hayden touted the potential role of the insurance industry in driving cyber improvements, while arguing against regulation. Government should be in a “supporting role, a getting-out-of-the-way role,” he said.
Inglis called for emphasizing deterrence by making clear that the U.S. will “impose costs” when others defy international norms.
Beneath it all was a warning against cyber regulation.
Industry and its leaders are desperately trying to ensure that this message sticks with whoever takes over the executive branch in January.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
