High-profile cyberthreats to U.S. interests are nothing new, but in the past few years several attempts to pass comprehensive cybersecurity legislation have failed due to concern that new rules would put an undue burden on industry. Despite these concerns, former White House chief information officer Theresa Payton says industry needs to be very involved in the cybersecurity process, especially when it comes to sharing best practices -- and mistakes -- after a breach occurs.
In part two of this two-part video interview, Payton, now CEO at Fortalice LLC, a cybersecurity solutions company based in Charlotte, N.C., sits down with SearchCompliance Editor Wendy Schuchart to discuss what she thinks are necessary characteristics of any future cybersecurity legislation, and ideas to get employees involved in data security processes.
I'm here today with former White House CIO Theresa Payton talking about cybersecurity. Do you think that cybersecurity legislation could help protect public and private interests online?
Theresa Payton: I personally get conflicted on this because it's tough to say that a law is going to make a business do a better job at being safe. It's hard for me to sort of swallow and say that, although we did see that on the consumer side with credit cards. People were just getting the shirts taken off their backs because people would steal their credit cards and they would, if they didn't report it stolen they were accountable for everything.
More on cybersecurity legislation
Cybersecurity regulations down, but not out after Senate vote
President Obama considers cybersecurity executive order
Then consumer protection acts came out, same thing on online banking. There's the EFT, the Electronics Fund Transfer Act which basically says if a hacker gets into your personal account, the bank has to make you whole. It's not your fault, I mean, unless you gave away your Social Security number. But the bank has to eventually make you whole and you'll be taken care of. It'll be a mess, but it'll be taken care of.
The banking industry responded to that by saying, 'Well, then we're going to get our shirts taken off our backs.' They've created a very sophisticated technology, some platforms to not only take care of the customers but also avoid huge losses.
That's an example of where a disincentive worked, but it was very expensive and very difficult for the banks to implement. While you're implementing things like that, you're not innovating. So the challenge would be -- whether it's health care, energy, insurance, banking, transportation -- if we create a law, I'd like to see it set for some basic standards. But I'd rather see the law focus on things like how do we make it easy for you to share what just happened to you without fear of repercussion. How do we make it easy for you to tell in a trusted group what happened, how it happened, and if you had to do it all over again what would you do differently? We don't really have sort of that safe harbor forum today.
I'm hoping that the cybersecurity legislation will put forth some standards that small- and medium-sized businesses can understand, and for large corporations, they know what they need to be doing. It's harder for the small- and medium-sized businesses to really know where to start. I'd like to see us focus on some incentives to really pump up what we're already doing in information sharing.
I'd rather see the law focus on things like how do we make it easy for you to share what just happened to you without fear of repercussion.
You spoke about incentives and kind of rewarding rather than punishing. You had put together a program at the White House that made it more fun for employees to follow security briefings. Can you talk a little bit more about that?
Payton: Yes, sure. If people are just egregiously breaking policy, there should be a punishment for that. For example, the Russians know that Americans have an appetite for online porn, as seedy as that is to talk about. But because they know that, they hide malware in the porn. So if you have an employee in your network egregiously breaking policy -- hopefully you have one against porn-- and downloading porn, they could be putting your network at risk, besides the fact of what is it that they're doing all day that you're paying them, right?
That's an example of sort of a zero-tolerance policy, and that's a disincentive. Don't download porn or we will fire you because there are greater risks at stake. But you can make things kind of fun. One of the things that we did: We actually created around BlackBerrys. BlackBerry security is so important, and so is getting people to pay attention. They don't want to be a security expert. They don't want to go through a 30-minute briefing on how to keep the BlackBerry safe. They just want to know "What's the one or two things that I need to know?"
We dialed it down to this two-minute briefing. We would put a little card in there that just said the key points, here's a number to call us if you ever have any problems. But the key was we tucked the card in a little bag that had lots of White House logo branded goodies in it that people wanted, so it was memorable to them. In that moment of truth, in a two-minute briefing, were the key points they needed to hear, and we also made it kind of fun and memorable. That's going to be the key to sort of getting into the hearts and minds of the employees: They remember you don't need them to be an expert. You just need them to call you when things aren't right.