A better approach toward cybersecurity
It’s time for a “reset” in the public policy debate over cybersecurity to avoid a governmental-dominated approach heavy with regulation, Business Roundtable said today in releasing a new report that proposes an alternative strategy that builds upon information sharing.
BRT’s release of the report, “More Intelligent, More Effective Cybersecurity Protection,” comes as President Obama is readying an executive order to expand federal agencies’ authority in the cybersecurity realm and Congress begins another debate on the issue.
CEOs believe a “true public-private collaboration” would be more effective than a mandated, "top-down regulatory approach,” said Mike Manchisi, group executive of MasterCard Worldwide's global processing business. Ajay Banga, President and CEO of MasterCard Worldwide, chairs BRT Information and Technology Committee. (News release)
Manchisi, BRT President John Engler, and BRT Vice President Liz Gasster briefed the media on the report today. Mastercard's Banga was also interviewed in The Wall Street Journal, "Cyber Attacks Bring Call for Help."
“When you think about cybersecurity, it’s less about physical security and law enforcement. It’s probably more akin to intelligence and cyberespionage, so the flexibility and responsiveness in this space is going to be very essential to countering what are very rapidly evolving threats,” Manchisi said. "The missing piece of this is really robust, two-way information sharing that has the appropriate legal and privacy protections between business and government.”
With legislation protecting companies, the report states, CEOs are committed to:
- Investing in the infrastructure necessary to receive shared threat information;
- Developing the capabilities required to integrate cybersecurity threat and risk information into CEO risk management; and
- Recommending that boards of directors, as part of their risk oversight functions, continue to periodically review management’s business resiliency plans, including cybersecurity- and oversee-related risk assessment and risk management processes.
BRT's Engler also emphasized the need for flexibility, for which government mandates are ill-suited.
It’s a new engine, it’s a new technology, it’s a new material. It’s something that has real value as an asset in the marketplace...
What you’re trying to protect is constantly changing, and the threat of what they’re trying to do to get at it, is constantly changing, so there’s no ability to pick, [for example] that on January 20, 2013, we put this rule in place and we’re going to have a party. We solved the problem! January 21, you have a different problem.
The report follows a year of analysis of the issue by Business Roundtable and its member CEOs, who are intent on pursuing effective cybersecurity strategies.
"The CEOs themselves, across all of the sectors – chemical sector, oil and gas sector, electric sector, financial services – are saying this is extremely important to us," the BRT's Gasster said. "We take this seriously, we will oversee cybersecurity and make it a priority, and set a culture in our companies that this is a top priority across all our infrastructure."
- The Hill (blog), "Business leaders press for better information-sharing about cyber threats"
- NetworkWorld.com, "Better business-government teamwork needed to categorically fight cyberthreats"
UPDATE (10:45 a.m., Jan. 10, 2013):
- Wall Street Journal's Daily Wrap radio show interview with BRT's Liz Gasster.
- ComputerWorld.com, "Business Roundtable backs CISPA approach to cybersecurity"
- National Defense magazine, "Public-Private Collaboration Needed to Combat Cyberthreats, Business Leaders Say"
- Computerworld.com, "Obama's CIA nominee an advocate for federal cybersec regulations"
- New York Times, "Bank Hacks Were Work of Iranians, Officials Say"
- Christian Science Monitor special section, "Cyber security in 2013: How vulnerable to attack is US now?"