The technology industry has been excluded from the government's definition of what constitutes the nation's critical infrastructure, giving them a free pass from regulations. While this may be good for IT businesses, telecom companies like AT&T and Verizon Communications are crying foul.
Information technology is crucial to business, and according to these telecom companies, IT is just as important in securing power plants, telecommunications and water filtration systems. Which is why they want IT companies to be listed as part of the nation's critical infrastructure, something IT vendors are resisting because they don't want to be saddled with more government regulation.
The very political situation raises many questions, and has few answers.
Obama's Executive Order
Currently, IT - think companies like Microsoft, IBM, Apple, Oracle, Cisco and more - is excluded from the government's definition of critical infrastructure, as defined by President Obama in an executive order issued last month. In directing the Secretary of Homeland Security to identify critical infrastructure at the greatest risk of attack, the order says the Secretary "shall not identify any commercial information technology products or consumer information technology services under this section."
This exclusion, the result of heavy lobbying by the IT industry, is not sitting well with telecom companies, such as AT&T and Verizon. They believe technology vendors are as important as the network operator in building adequate security to fend off cyberattacks from terrorists.
"The Internet ecosystem is far more interconnected and dependent on a host of players than it was even five years ago," a Verizon spokesman said.
While the government battles terrorism, telecom and IT companies are trying to fend off regulations. The executive order sets the groundwork for cybersecurity legislation from Congress. So far, the IT industry has been excused, and the telecom industry wants it to share whatever regulatory burden results from current negotiations between the White House and Congress.
"The telecom community is concerned the tech industry is going to get a free pass here," David Kaut, a Washington analyst with Stifel Nicolaus & Co. told Bloomberg. "You have an ecosystem and only the network guys are going to get submitted to government scrutiny."
Telecom companies have a point when it comes to critical infrastructure. Hackers who break into the Windows computer of a telecommunications company could wind their way into control systems and shutdown wireless or landline service for hundreds of thousands of people. But is regulating IT security directly the best way to prevent such a breach? I don't believe so.
Instead of more regulations, the government should focus on requirements for companies directly involved with maintaining the nation's critical infrastructure. As IT customers, these companies, which include utilities, financial institutions, defense contractors and manufacturers, are in a much better position to get the security they need built into the products they agree to buy. If an IT company such as Microsoft, Oracle or IBM cannot meet the requirements, than another one will.
"Commercial products and services often are the weakest link, but regulating them directly means imposing costs that many users won’t be able to shoulder," Stewart Baker, a partner at law firm Steptoe & Johnson and a former assistant secretary for policy at DHS, said. "So you end up imposing costs on everyone to protect a portion of the economy."
This issue is sure to come up during negotiations underway between the White House and congressmen supporting a cybersecurity bill introduced in the U.S. House Intelligence Committee. The bill emphasizes sharing threat information between businesses and government, while the Obama administration also wants minimum security standards set for the most critical companies.
For telecom companies to get what they want, they will have to convince the Republican majority in the House, which adamantly opposes more government regulation, to broaden the cybersecurity bill to include the IT industry. That's unlikely, so telecom and other critical infrastructure companies should be prepared to take full responsibility for securing their systems.
Image courtesy of Shutterstock.