State of Play for the Cybersecurity Debate
March 21, 2012
Government Relations Update
The Senate is expected to take up cybersecurity sometime following the April congressional recess. Democrats and Republican leaders of key committees have introduced competing packages, with the Democratic legislation focusing on protecting “critical infrastructure,” while the Republican bill is aimed at fostering information sharing between the public and private sectors. Senators Lieberman and McCain have met to discuss whether they can come to some agreement, but the talks have not yet been fruitful. Neither bill has been subjected to the regular committee process, but Majority Leader Reid has indicated that he plans to bring the Democratic bill to the floor, perhaps as soon as mid-April.
The Cybersecurity Act of 2012 (S. 2105)
Introduced by Sen. Joe Lieberman (I-CT), Sen. Susan Collins (R-ME), Sen. John Rockefeller (D-WV) and Sen. Diane Feinstein (D-CA), the Cybersecurity Act of 2012 aims to give government and the private sector additional tools to protect critical infrastructure from cyber attacks. The bill would require the Department of Homeland Security (DHS) to conduct risk assessments to identify the most significant cyber threats and then establish cybersecurity performance requirements for “critical infrastructure systems and assets whose disruption could result in severe degradation of national security, catastrophic economic damage, or the interruption of life-sustaining services sufficient to cause mass casualties or mass evacuations.” Owners of critical infrastructure would have flexibility to meet the performances as they see fit, and assets that are already “appropriately secured” would be exempted from the requirements. The legislation also creates a “cybersecurity exchange,” through which public and private sector entities can share information about cyber threats, while ensuring that privacy is protected. Additionally, the bill would require the federal government to develop a comprehensive acquisition risk management strategy and directs the Office of Management and Budget (OMB) to develop security requirements and best practices for federal IT contracts. The legislation consolidates existing cyber offices to create a National Center for Cybersecurity and Communications and reforms the way cybersecurity personnel are recruited and trained to ensure that they are prepared to protect federal networks. Finally, the bill consolidates cybersecurity research and development programs to encourage the development of new technologies.
SECURE IT Act (S. 2151)
Introduced by Sen.John McCain (R-AZ), Sen. Kay Bailey Hutchison (R-TX), Sen. Chuck Grassley (R-IA), Sen. Saxby Chambliss (R-GA), Sen. Lisa Murkowski (R-AK), Sen. Dan Coats (R-IN), Sen. Ron Johnson (R-WI) and Sen. Richard Burr (R-NC), the SECURE IT Act focuses on facilitating information sharing between private companies and the government. The legislation gives public and private entities additional authorities to share information using existing Federal cybersecurity centers; establishes new cybersecurity requirements for federal contractors; and creates limited liability and antitrust exemptions to facilitate information sharing, while maintaining protections for personally-identifiable and classified information. The legislation also gives the government expanded powers to disclose cyber threat information obtained from the private sector for “national security purposes” and to investigate or prosecute certain criminal offenses. The bill updates the Federal Information Security Management Act (FISMA) to improve the security of Federal information systems; it directs DHS to conduct ongoing threat assessments and empowers the National Institute of Standards and Technology (NIST) to set cybersecurity standards for government networks; and it instructs the Secretary of Commerce to issue cybersecurity requirements for all government agencies with the exception of national security systems. The legislation updates the Computer Fraud and Abuse Act (CFAA) to streamline penalties for cyber crimes and establish a criminal violation for “aggravated damage to critical infrastructure.” The bill also reauthorizes certain cybersecurity research and development programs and requires agencies to outline strategic research plans and to track and publish R&D spending information.
While both bills contain information-sharing provisions, the Lieberman draft creates a “cybersecurity exchange,” designated by the Department of Homeland Security, through which public and private sector entities can share information about cyber threats. The McCain bill focuses on facilitating information sharing by giving companies the authority to share threat information with a variety of federal agencies. Private sector companies have said they would like to share more information with both the government and other private companies, but they are currently hindered by a number of legal barriers. While Republican bills aim to eliminate barriers to information-sharing by creating liability protections, many have expressed concerns that these liability protections sweep too broadly.
The Lieberman bill restricts government’s ability to disclose cyber threat information to law enforcement, stating that such information may only be disclosed when it “appears to relate to a crime which has been, is being or is about to be committed.” The McCain bill allows the government to disclose cyber threat information for cybersecurity and national security purposes. Privacy advocates have expressed concerns about both pieces of legislation, saying that the limitations are written too broadly.
The Lieberman bill gives DHS broad authority to designate critical infrastructure and to establish performance requirements for such designated entities. Depending on the scope of DHS’s definition, the agency could find itself with significant regulatory authority over a wide range of privately-owned entities, although those entities would be able to choose how to satisfy the performance requirements. The McCain bill does not establish specific requirements for critical infrastructure. Rather, it requires certain federal government contractors to report “any cyber threat information” that is “directly related to such contract.”
The Lieberman bill is silent on criminal penalties for cyber attackers, but it does create a compliance and enforcement framework for public and private sector entities to ensure that designated entities are meeting their performance requirements. The McCain bill updates the Computer Fraud and Abuse Act (CFAA) to codify penalties for cyber crimes and establish a criminal violation for “aggravated damage to critical infrastructure.”
Research and Development:
Both bills reauthorize certain programs to provide funding for cybersecurity research and development efforts. The McCain bill differs in that it also requires federal agencies to outline strategic research plans and to track and publish R&D spending information.
House Republicans have been making efforts to coordinate cybersecurity strategy to come up with a package or several bills that Leadership can bring to the floor. There are several committees with jurisdiction over relevant issues and staff have been meeting for months. House Leadership is expected to bring cybersecurity to the floor at the end of April.
Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523)
Introduced by House Intelligence Committee Chairman Rep. Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD), the Cyber Intelligence Sharing and Protection Act of 2011 is similar to the SECURE IT Act in that it focuses on fostering information sharing between government and the private sector. The legislation requires the Director of National Intelligence to establish procedures to allow the intelligence community to share cyber threat intelligence with private-sector entities and to encourage information sharing. The legislation exempts voluntarily-shared information from public disclosure and provides liability protections for private sector entities that engage in information sharing. The legislation does not compel any private sector entities to share information, nor does it prescribe which government agencies the information may be shared with.
House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade Chairman Mary Bono Mack (R-CA)
Rep. Bono Mack has supported the SECURE IT Act, and it is anticipated that she will introduce similar legislation in the House in the coming weeks. Rep. Marsha Blackburn (R-TN) is expected to support the legislation.
Other Issues to Watch:
Mandating Security Measures:
Many in industry, academia and government alike have cautioned Congress against prescribing specific cybersecurity standards. They have argued that such regulations would force companies to place too much emphasis on compliance at the expense of innovation; they would lack adequate flexibility to keep pace with ever-changing technologies; and they could provide a roadmap to adversaries that are trying to launch cyber attacks by clearly defining the countermeasures being utilized.
Data Breach Notification:
In the wake of several high-profile breaches of public and private sector networks, many have called for more robust federal data breach notification standards to replace the "patchwork" of state standards. Opponents argue that states with their own data breach notification standards should not be preempted by weaker federal standards. None of the bills currently under consideration contain data breach notification standards, however Senator Leahy has indicated that he would offer his bill as an amendment. Industry continues to push for a national standard and the authors of the McCain legislation have said they hope to continue to work toward a consensus on a uniform, national standard.
Supply Chain Security:
In addition to the growing prevalence of Internet-based cyber attacks, many recent attacks have originated in hardware, raising concerns about supply chain security, particularly when so many physical systems are manufactured overseas. While none of the current bills address supply chain security, some have called for additional efforts to secure the U.S. IT supply chain, including calls for incentives for private sector companies to ensure the quality of their products.
A wide range of stakeholders have called for increased attention to consumer awareness and computer literacy. Questions have been raised in a number of hearings as to whether consumer education should be the responsibility of the public or the private sector, but all stakeholders are in agreement that cybersecurity education at the individual user level is crucial to promote cybersecurity.
Freedom of Information Act:
On March 13, 2012, the Senate Judiciary Committee held a hearing entitled, “The Freedom of Information Act: Safeguarding Critical Infrastructure Information and the Public’s Right to Know.” The committee heard testimony about the appropriate role of Freedom of Information Act (FOIA) exemptions in cybersecurity legislation. While many have called for very narrow exemptions to protect the public interest, private sector advocates have countered that they will have some hesitations about voluntarily sharing proprietary information if it could be made public through a FOIA request.
Many in industry and in government have called for international coordination of cybersecurity efforts. The International Cybercrime Reporting and Cooperation Act (S. 1469) has been introduced in the Senate to require reporting on foreign countries’ capacities to combat cybercrime and to allow the President to develop action plans to strengthen enforcement mechanisms in such countries to combat cybercrime.