Cybersecurity Legislation: Solution or Distraction?
After three years of debate and intense horse-trading, four major pieces of cybersecurity legislation have collided on Capitol Hill. Each claims to provide definitive policy and legal answers on how the United States should protect itself from crippling cyber-attacks.
The 111th Congress started out with more than 80 pieces of draft legislation, which the 112th Congress whittled down to 35. It may fall on the 113th Congress to take final action.
Each of the resulting four bills has been endlessly revised as committees sought to sponge up a torrent of conflicting bureaucratic and business agendas. Congress and the White House continue to attempt to hammer out a coherent document that can guide the nation forward.
No resolution is expected during an election year. But even if Congress managed to schedule a vote, national security experts worry that whatever emerges from the legislative morass will not answer basic questions about how U.S. government agencies and industry can better fend off network intrusions.
Government contractors, especially those that are responsible for sensitive Defense Department and intelligence information networks, caution that the legislation in its current form will be ineffectual because it puts other priorities ahead of national security. The legislation tries to cover all bases, but it does not go far enough because it fails to make cybersecurity an “immediate national security concern,” said Rolando R. Sanchez, a litigation and government contracts attorney at Hollingsworth LLP.
Sanchez chairs a defense industry group that has reviewed and commented on the proposed legislation and guidelines.
“Because that basic approach is not being followed, there is no urgency and no definite role for government,” he added.
In the absence of a sense of urgency, “different groups stall the legislation,” said Sanchez. National security interests in this case are at odds with corporate priorities such as warding off government interference. “If cybersecurity legislation were approached as a national security concern,” the business interests would adjust accordingly, Sanchez contended. One of the federal government’s primary roles is the defense of the nation, he said, so cybersecurity concerns would trump other agendas.
Companies in the defense industry, several of which are Sanchez’ clients, worry that theft of sensitive intellectual property by other nations’ governments or groups severely compromises U.S. interests, he said. “The defense industrial base is being entrusted with the nation’s crown jewels, and you have nation states trying to access this,” Sanchez said. “This needs to be recognized” by Congress in the upcoming legislation, he said.
Pentagon contractors, to be sure, also stand to profit from government efforts to protect networks. The federal government’s biggest agency and spender on cybersecurity is the Defense Department. The Pentagon’s estimated budget for information security for fiscal year 2013 is between $3 billion and $4 billion, said Tim Larkins, a market analyst at immixGroup Inc.
Most of the cybersecurity debate on the Hill has been dominated by divisive issues such as privacy rights, government overreach, liability and financial burdens on companies, and by turf battles over whether Defense or Homeland Security should be in charge. Congress turned cybersecurity into another hyperpolarized issue, like climate change, Sanchez said. “The tragic part is the way that as cybersecurity legislation is evolving, national security is being pushed to the side,” he added. “Privacy and business concerns are extremely important, and any legislation must address these concerns … [but] if you ask people who know even just a little bit about cyber, they will agree that it is a national security concern.”
Outside the defense industry, however, network intrusions are seen under a different light. In the civilian world, industries such as finance and banking would like the government to pay more attention to the electronic espionage and theft that already is costing many sectors of the U.S. economy billions of dollars, said Howard Teicher, vice president of public sector at Radware, a company that provides cybersecurity services.
The politicization of cybersecurity is viewed outside the Beltway as further proof that Congress is out of touch, Teicher said. “In the private sector, companies are more concerned about financial crimes,” he said. “It’s off the charts.”
In Washington, “you don’t get a sense of the magnitude of the threat,” said Teicher. “When you go to conferences around the country everyone is focused on hacker criminals who break into banks, looking for credit card and banking information, and siphoning off money.” The government’s emphasis is on protecting critical infrastructure and military networks.
Industry would like more “clarity” on what the true threats are in cyberspace, said Teicher. Congress is not providing the guidance that the private sector would like, and instead is “actively engaged in trying to reconcile different bureaucratic and legislative opinions on who is responsible for what and who should pay for what.”
The private sector is accused of not wanting to pay its fair share of cybersecurity costs, said Harry Raduege, chairman of the Deloitte Center for Cyber Innovation. “But companies would be willing to pay more if they had more clarity on what the threats are,” he said.
Not knowing who the enemy is or the scope of the threat is a real problem for the private sector, both in the military-industrial complex and the commercial arena, said Tom Malatesta, chief operating officer of Ziklag Systems, a company that recently made headlines for unveiling new software that is said to neutralize the “Flame” malware on mobile phones.
“The private sector can’t figure out how much money they need to spend on cybersecurity solutions per se,” he said. Congress is at least three to four years behind in addressing the problem, said Malatesta. “I think the government has to do something,” such as setting minimum standards of cybersecurity with which everyone should comply, he said. “If you leave it up to business, they won’t do it. … Government is the logical body to start evaluating standards, particularly with the critical infrastructure,” Malatesta said. “There is no benchmark, so everyone is splashing around in the pool.”
Election-year scheduling conflicts are no excuse for Congress’ failure to produce useful legislation, he said. “This is an election year, but what about the last four years?”
Gregory Wilshusen, director of information security issues at the Government Accountability Office, said private investments in cybersecurity need to make business sense. “There often are competing demands for cybersecurity investments,” he told the House Homeland Security subcommittee on counterterrorism and intelligence.
Industry officials said Congress will mandate that the government and the private sector share information so both sides can invest their resources wisely, but that is an unrealistic goal.
Malatesta said sharing information is a worthy aim, in principle, “but it’s never going to happen” if corporate interests are compromised in the process, he said. “Companies are not going to share meaningful information if it’s detrimental to them.”
David Fastabend, a retired Army lieutenant general and vice president of ITT Corp. said that sharing cyberthreat information is “immensely problematic.”
Companies want greater insight into potential threats to their networks, but do not want to be held responsible for breaches that they might be powerless to stop, he said. “People are reluctant to share information if they think it’s going to expose them to liability.”
Fastabend agreed with others in industry that the upcoming legislation should set standards for cybersecurity, but even that is barely going to make a dent in the problem. “Our institutions can’t keep up with the speed of the threat.”
CYBERSECURITY LEGISLATION: THE FINAL FOUR
The Cyber Intelligence Sharing and Protection Act, H.R. 3523, passed the House by a bipartisan vote of 248-168. It would allow the director of national intelligence (DNI) to establish intelligence-sharing mechanisms between the intelligence community and the private sector. CISPA grants more control to the private sector than the other proposals in limiting the use of information provided to the federal government or other private sector entities. It allows companies submitting information to set additional anonymization standards and prohibit sharing of the information with specific federal agencies. Shared information is protected from public disclosure or use for unfair trade advantage.
Senate Cybersecurity Act of 2012
The Cybersecurity Act of 2012, S. 2105, authorizes additional public-private information sharing with DHS, similar to the Obama administration’s proposal, and among private sector entities. The bill requires that DHS establish guidelines for sharing cybersecurity threat and vulnerability information to protect privacy and civil liberties, in consultation with the attorney general and DNI. It would also establish a full-time privacy officer to ensure compliance with the guidelines. The federal government must also explicitly protect against the disclosure of personal information, and any intelligence shared with the government would be protected from public disclosure. Businesses may share intelligence as long as they follow these restrictions and do not use shared information to gain an unfair trade advantage.
The bill, sponsored by Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, is opposed by many Republicans who view it as imposing costly regulations on the private sector.
Senate Majority Leader Harry Reid, D-Nev., had said he planned to bring S-2105 to the floor in July. It would be facing a competing bill, the SECURE IT Act, supported by Sen. John McCain, R-Ariz.
Senate SECURE IT Act
The SECURE IT Act, S. 3342, would establish cybersecurity intelligence sharing between the private sector and multiple centers throughout the federal government. These centers must follow standards set by the secretaries of Commerce and Homeland Security to protect personal and trade information, and those providing information would be protected from legal reprisal or public disclosure of shared content. Additional control is provided to the private sector, as those sharing information must provide consent before data may be shared with government. Any shared knowledge may only be used for cybersecurity, national security, or law enforcement purposes.
The private sector, represented by the U.S. Chamber of Commerce, has thrown its support behind SECURE IT.
In a June 29 letter to lawmakers, R. Bruce Josten, the chamber’s executive vice president for government affairs, endorsed the bill as the one that best addresses the private sector’s concerns. “This path provides the best opportunity of staying ahead of fast-paced cyberthreats,” said Josten. “The chamber also agrees that Congress should not layer additional cybersecurity regulations on the business community. New compliance mandates would automatically drive up costs and misallocate business resources in a tough economy without necessarily increasing security.”
The Obama Administration Proposal
This plan seeks to strike a compromise between the two competing Senate bills. It assigns DHS the responsibility of carrying out cybersecurity information sharing. Private-sector information used by the government must be related to cyberthreats to federal networks or critical infrastructure, personal information must be protected from unauthorized access or disclosure, and those using federal networks must be notified that their traffic may be monitored. Shared information may also be used for law enforcement purposes with the approval of the attorney general. Cooperation with the federal government is protected from public disclosure. Sens. Sheldon Whitehouse, D-R.I., and Jon Kyl, R-Ariz., have voiced support for the White House plan. SOURCE: Bipartisan Policy Center