Arguing Against Voluntary Standards

CEOs See Provisions over Infosec Standards as Distraction
The idea of the U.S. federal government and industry jointly developing IT security best practices will do little to help critical infrastructure operators defend against cyber-risk, says Business Roundtable Vice President Liz Gasster.

"It makes an underlying assumption that the point of best practices will, in fact, be effective in addressing cybersecurity risk," Gasster says in an interview with Information Security Media Group. "And that while best practices are a useful tool, they are not alone going to be sufficient to deflect the most pernicious adversary."

The Obama administration and many lawmakers, mostly Democrats, have backed legislation that would get government and business to collaborate on creating a series of cybersecurity best practices that the mostly private owners of the nation's critical infrastructure could voluntarily adopt. Many Republican federal legislators and major business groups such as the U.S. Chamber of Commerce and the Business Roundtable, an association of chief executive officers of the nation's largest companies that include many critical infrastructure owners, oppose any form of cyber-regulation, including those involving voluntary adoption.

Stressing Information Sharing

A focus on voluntary best practices distracts from a more important government-business collaboration: sharing threat information, Gasster says.

Big business and their Republican supporters in Congress have backed legislative measures that ignored mention of any regulation, but emphasized information sharing. Legislation backed by Democratic lawmakers and the Obama administration also provide for information sharing, as well as promoting voluntary security standards.

Gasster says information sharing is "really where the resources of the companies and the resources of government need to be brought to bear together to focus on how to respond to the most serious threats rather than focusing exclusively on doing best practices that are going to create little to address those kinds of risks."

In the interview, Gasster:

  • Explains the Business Roundtable's goals in government-business cybersecurity collaboration, as outlined in the group's new publication, More Intelligence, More Effective Cyber Protection;
  • Rebuts arguments from critics who contend some infrastructure owners skimp on IT security investments in order to drive profits;
  • Makes the case for a new cybersecurity law that provides antitrust protection for businesses that share threat information with each other and the government.

Gasster oversees the Business Roundtable's Select Committee on Regulatory Reform, advocating for rules that promote growth instead of stifling business investment and opportunity. Before joining the Roundtable, Gasster served as senior policy counselor for ICANN, the Internet Corporation for Assigned Names and Numbers. Earlier in her career, she was general counsel and acting executive director of the Cybersecurity Industry Alliance and held various senior legal and policy roles at AT&T.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.