Former DHS cyber leader Phil Reitinger, whose Global Cyber Alliance is a leading advocate of “DMARC” as a way to secure email, is praising inclusion of a proposal to promote economy-wide adoption in the defense policy bill, as cyber policy veterans sort through the cybersecurity provisions added by lawmakers to the fiscal 2021 National Defense Authorization Act.
The House this week approved its version of the NDAA, including numerous recommendations from the Cyberspace Solarium Commission such as creation of a National Cyber Director, strengthening various CISA authorities, requiring cyber incident reporting and a study on the state of the cyber insurance market, among other cyber provisions.
The House-passed provision on Domain-based Message Authentication, Reporting and Conformance would require the Secretary of Homeland Security to develop a strategy to “implement DMARC across U.S.-based email providers.”
Reitinger, the president and CEO of the Global Cyber Alliance, told Inside Cybersecurity that the provision calling for CISA to develop a DMARC strategy for the nation is “very helpful” because “there’s virtually no way to protect people broadly unless DMARC is universally deployed.”
The U.S. Chamber of Commerce came out against the DMARC language, saying a federal strategy was unnecessary as the private sector is widely moving ahead on adopting DMARC.
Reitinger agreed that the “vast majority of individuals have DMARC because it’s now part of the package provided by Outlook, Google and other services. … It’s the business players with their own domains that still need DMARC.” He explained that DMARC is deployed on a “domain basis, so if you’re in a business domain, you may be exposed.”
He acknowledged “justifiable concerns” about regulation among business groups like the Chamber, but said “having a strategy on getting DMARC deployed is the right thing to do.”
Reitinger also raised concerns about the proposed Cyber Director, saying creating such an office “would be inefficient and not particularly helpful. The issues before a Cyber Director would be big, they would be in the National Security Council apparatus anyway.”
He said a better approach would be ensuring the Cybersecurity and Infrastructure Security Agency has the authorities it needs, rather than creating a 50- to 100-person staff within the Executive Office of the President that would go looking for an operational role.
Todt calls for collaborative initiative on insurance
Kiersten Todt of the Cyber Readiness Institute agreed that inclusion of the DMARC language was a positive step, calling it a policy “no-brainer,” while strongly backing the Cyber Director proposal, which has wide support among industry groups that were highly critical of the 2018 decision to eliminate the White House cyber coordinator role. Industry and other stakeholders argued that the coordinator was a key point of contact for them on cyber policy.
But Todt suggested the objectives of elements added to the NDAA bill like a cyber incident reporting requirement and the insurance study could be better accomplished in other ways.
On insurance, she said “the missing piece” continues to be “encouraging baseline behavior particularly by small and mid-sized companies.”
Lawmakers in the House decided to call for a study by the Government Accountability Office on the state and possible shortcomings of the cyber insurance market rather than mandate requirements for the industry.
Todt said the insurance market is evolving but is still “weighted toward the insurer rather than the purchasing company,” which too often finds that a cyber incident isn’t covered, she said.
Companies increasingly have to show regulators that they have cyber insurance, Todt said, but “there’s a huge gap on what it actually accomplishes. … We’re not seeing the return on investment for companies.”
Todt called for a government-convened collaboration -- much like the National Institute of Standards and Technology’s approach -- to develop a “by-industry, for-industry” strategy on how cyber insurance can drive actual security improvements. “A fix wouldn’t be too difficult,” she said. “It would help the insurers and the companies that feel they have to buy it but don’t get covered when it counts.”
On incident reporting, she said placing a requirement on businesses is “kind of a Band-Aid,” when the larger issue is continuing to develop the proper “trust model” between government and industry.
CISA’s National Risk Management Center “is an excellent potential model for an incident repository,” Todt said, “but first you have to have the foundation of trust and reciprocity.”
In the Senate
Meanwhile, debate continued in the Senate where a vote is expected this morning on a package containing 40 amendments on various issues, with final passage of the Senate version of the NDAA later today.
Senate Homeland Security and Governmental Affairs Chairman Ron Johnson (R-WI) and Sen. Maggie Hassan (D-NH) issued a statement Wednesday praising the inclusion of language in the NDAA bill giving CISA power to subpoena Internet Service Providers for information when threats are detected on their networks.
“Every day our adversaries target our critical infrastructure, including our electric grids, dams, and airports. And every day, CISA is made aware of vulnerabilities to these systems -- some easily fixable -- but is powerless to warn the potential victims,” Johnson said. “This legislation gives CISA the authority necessary to reach out and warn owners of critical infrastructure that they are open and vulnerable to cyberattacks before they become a victim. We ask Americans: if you see something, say something. With this legislation we are empowering CISA to do the same.”
“When CISA identifies a potential cyber vulnerability in an electrical grid or other critical infrastructure, it cannot always identify the owner of the company in order to alert the company about the vulnerability,” Hassan said. “This common-sense proposal gives CISA the ability to get the information it needs from an Internet Service Provider in order to reach out to critical infrastructure companies to help prevent damaging cyberattacks. I will keep working with Senator Johnson and our colleagues on both sides to get this signed into law as part of the National Defense Authorization Act.”
The House and Senate will reconcile their versions after the August recess. -- Charlie Mitchell (firstname.lastname@example.org)