The Lieberman, Collins, Carper cybersecurity bill would do nothing but slow down real progress and undercut Howard Schmidt's authority, former State of Pennsylvania CISO Robert Maley warns. It has been four months since moving from public service as CISO for the Commonwealth of PA into the private sector as a consultant. The thing about cybersecurity is that, although the private sector is just as important as the public, it seems that the government has been dominating the news and direction of cyber protection.The recent introduction of the Lieberman, Collins, Carper cybersecurity bill is a prime example.It is a complex matter, to say the least, and I have no confidence that the bill will actually make our critical infrastructure more secure.As Tom Burghardt says in Through the Wormhole: The Secret State’s Mad Scheme to Control the Internet, “Fueling administration moves to “beef up,” i.e. tighten state controls over the free flow of information is cash, lots of it. The Washington Post reported June 22 that “Cybersecurity, fast becoming Washington’s growth industry of choice, appears to be in line for a multibillion-dollar injection of federal research dollars, according to a senior intelligence official.” In the Lieberman, Collins, Carper letter to Cisco, Oracle and IBM, a public/private partnership is mentioned, which on its face is a good thing. The private sector is motivated to enhance security and reduce risk because it affects the bottom line of the company. The bill talks about securing the supply chain through a risk management strategy, which I think is overdue. When a government entity acquires a product or system that eventually fails, who is really to blame? The company that met all the requirements of a low-bid contract, or the entity that failed to include specific security deliverables in the request for bids?The bill also calls for the creation of a national center for cybersecurity and communications and an office for cyber policy. Last December, Howard Schmidt was appointed the President’s cybersecurity coordinator. I thought that position was to lead the administration’s cyber strategy, so I am not sure that the addition of new government agencies and bureaucracy would improve things.In a March Wired.com interview, Schmidt said that “There is no cyber war. I think that is a terrible metaphor and I think that is a terrible concept.” He went on to say that “the government needs to focus its cybersecurity efforts to fight online crime and espionage.” (He made a similar statement in the CSO story Howard Schmidt: Cybersecurity battle ‘different’ this time.The Lieberman letter claims the bill will give that position the authority to be the lead in many of the bill’s requirements, which would be a good thing. But how new government overhead would make things more secure escapes me.Then there is the controversial provision granting the government the authority to “take over the Internet” in certain cases of national emergency. Lieberman makes the case that bill sets up a process that clearly defines and limits the systems and assets that can be identified as critical infrastructure subject to takeover, but since when did government regulation provide clarity?The Lieberman letter states that “by working in partnership and voluntarily sharing information with the private sector, the NCCC will have a better understanding of the threats and vulnerabilities our nation faces in cyberspace”. How effective has the government been in the past with voluntarily sharing full and accurate information? Historically, the private sector has been required through all the various regulatory acts to disclose, yet the government still looks at information sharing on a “need-to-know” basis, or sometimes filtering information to minimize the political impact of full disclosure.The bill lacks the strategic value to address our real-world cybersecurity issues, and introduces enough government oversight to slow down any real progress in the battle. The private sector should continue its initiatives to share information, increase situational awareness via the network of ISACs and take the initiative in securing its own products and infrastructure. And, the government should follow its cybersecurity coordinator’s advice: Fight the real threat, online crime and espionage. Related content news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe