Businesses should have “reverse Miranda” rights to discuss cyberattacks with regulators and other government agencies without fear of self-incrimination, Commerce Secretary Penny Pritzker said Tuesday, lauding the report of President Obama’s cybersecurity commission.
The proposal was one of several in the report she highlighted at a National Press Club event hosted by the industry advocacy group U.S. Telecom. In common with other speakers at the business-heavy gathering, she emphasized the case the commissioners made for voluntary cybersecurity standards outside of already-regulated vital industries like banking or electricity; the “pruning” or “realignment” of existing regulations in those sectors; and an overall approach to cybersecurity that emphasizes public-private partnerships.
“The problem is that today, relationships between regulators and the businesses they regulate are inherently adversarial — not collaborative,” she said. “We cannot blame executives for worrying that what starts today as an honest conversation about a cyber-threat could end tomorrow in a ‘punish the victim’ enforcement action.”
What was needed, Pritzker said, was what U.S Telecom had proposed in relation to the Federal Communications Commission, and what the cybersecurity commission had proposed extending to industry more generally: a “reverse Miranda” protection.
“In other words,” she explained, “Nothing you say in this setting will be used against you.” She suggested that congressional action might be necessary to reassure business leaders, despite pre-existing protections for information turned over by critical infrastructure owners and operators. “Congress may need to pass laws that extend to businesses throughout the digital ecosystem,” she said.
“Don’t get me wrong,”Pritzker added, “We must hold industry to high standards. However, enabling greater cooperation and protecting consumers are not mutually exclusive.”
To this end, Pritzker highlighted in her remarks the report’s recommendations for a new “National Cybersecurity Private–Public Program (NCP3)” and a governmentwide effort to “harmonize existing and future regulations with the [National Institute of Standards and Technology] Cybersecurity Framework to focus on risk management — reducing industry’s cost of complying with prescriptive or conflicting regulations.”
That call was welcomed by other speakers, including Heather Hogsett, vice president of technology and risk strategy at banking industry association the Financial Services Roundtable.
“From a regulatory perspective, financial services is one of the most heavily regulated sectors,”Hogsett said, adding “That ship has sailed, we know we are going to be regulated.”
Instead, she said, the issue was “the number of federal and main state entities that are regulating financial services. … You have 15 regulatory agencies and … you have an additional eight federal agencies with some jurisdiction over cybersecurity.”
Now that recent attacks against banks like JP Morgan Chase have pushed financial-sector cybersecurity to the top of the federal agenda, all 23 of those agencies and departments were keen to get in on the act.
“With the recognition that cybersecurity is a critical issue,” she said, “everyone wants to do something in cyber, so there’s been a move to do something — and whether or not it makes sense and is helpful is sort of irrelevant.”
As result, “We’re now beginning to see a number of problems with that because it’s not harmonized across regulatory agencies, not even at the federal level, much less with states or the international environment.”
She said the roundtable was “working with the incoming administration and Congress to educate them” about the problem.
So, harmonizing those efforts with the NIST framework “was a really great recommendation by the commission,” she concluded.
The problem, said long-time industry advocate Larry Clinton, president of the Internet Security Alliance, is that “Nobody knows what ‘aligning’ with the NIST framework means, [or] what ‘using’ the NIST framework means.”
“There’s a lot of loose talk about the NIST framework,” from the regulatory agencies, he said. “They virtually all say that they align with the NIST framework, but they’re inconsistent, they’re contradictory, they’re overlapping and they are anti-security. These current regulatory models are making us spend our scarce resources on compliance, which means we don’t have enough time to do security.”
He urged the incoming administration to take up the commission proposals to “do away with that regulatory underbrush,” and “streamline” regulations.
Regulation was not the answer, even when there was market failure, Clinton said. “We can’t have a traditional regulatory model — the checklist, backward-looking model of auditing.” He called that “anti-security.”
“In the 21st century, we need an entirely different model of of cybersecurity, where government does have a role, but it is not the regulatory role, it is the incentive role,” he said.
“Cyber-regulation is an area where, at this stage, less is more,” he added.
The good news, Clinton concluded, is that “a good deal of this regulatory underbrush can probably be [cleared] at the executive level … this might be an area the Trump administration can get started on early while Congress reorganizes and begins needed legislative action to replace the outdated regulatory regime with a consensus based incentive model.”