The Obama administration isn’t against the idea of extending liability protection as part of private sector adoption of a federally-mandated cybersecurity framework, said Bruce McConnell, a senior Homeland Security Department cybersecurity advisor.
The White House unveiled in May a cybersecurity proposal that would require operators of critical infrastructure to adopt cybersecurity measures against which they would be audited regularly.
Liability protection is not in the proposal, McConnell acknowledged, “but that’s not because we’re opposed to it,” he said while speaking July 21 during a panel hosted by the Brookings Institution in Washington, D.C.
McConnell said the proposal is necessary because the private sector has underinvested in cybersecurity.
Firms’ spending on cybersecurity depends on the worth of the assets they want to protect, McConnell said–but they tend to undervalue the damage of cyber attacks.
“Companies and firms don’t know how to value the confidentiality of information, they don’t know how to value the integrity of information, they don’t’ know how to value the losses that come from the attacks,” he said.
Cyber attacks made against particular companies can cause broader societal losses, but there’s currently “no reason why a firm would rationally make an investment beyond its own individual costs,” McConnell added.
The framework envisioned by the White House “is not a compliance-based approach,” McConnell said. “It’s a framework that allows firms to select the most technologically efficient ways of addressing the risks that we’ve identified, in cases where the social risk of not addressing them is judged to be too high.”
Private sector response to the proposal has been critical. Larry Clinton, president of the Internet Security Alliance, an industry association, said the private sector would respond better to liability protections, creation of a better cyber insurance market and government procurement incentives.
“Uneconomic investments are not sustainable,” Clinton said during the panel discussion. “And this is a problem that we’re going to continue to have with us, and therefore we need to come up with a sustainable solution. We need to address the cost issues.”