On Jan. 29th, 2012, Politico ran an op-ed on cybersecurity legislation written by Senators Kay Bailey Hutchinson, Chuck Grassley, Saxby Chambliss, and Lisa Murkowski. All of those Senators are Republican.
Many representatives have said that Congress needs to pass cybersecurity legislation quickly. President Obama recently called for cybersecurity legislation passage in his State of the Union address. There's at least 4 bills floating around. The cyberattack on the Chamber of Commerce reportedly gave Congress new impetus for passage. However, even with all this momentum, politics seems to be slowing the process. This Politico op-ed highlighted that political battle.
The op-ed opened with the following line: "there is a right way and a wrong way to address cybersecurity." The Senators argued that the right way to address cybersecurity involves a looser approach that promotes the flow of information and encourages private sector innovation. The wrong way? "New, heavy-handed, costly regulation and further expansion of government bureaucracy." That "heavy-handed regulation" is a reference to the Senate Democrat's and President Obama's version of cybersecurity legislation.
Along the same lines, the Senators argued that cybersecurity legislation should not create new regulatory regimes, but rather, should just strengthen already existing regulatory regimes. In this sense, strengthening existing regulatory regimes would do more to protect critical infrastructure than imbuing DHS with a whole new host of powers.
When considering that regulatory regime, the Senators believe that "the single most effective way of advancing cybersecurity is sharing cyberthreat information between the government and industry, as well as within the private sector." However, our current laws discourage threat-sharing, making both government and private entities vulnerable to cyberattack. Therefore, the biggest goal of cybersecurity legislation should be to facilitate this information sharing arrangement by knocking down legal barriers and encouraging information sharing not only between the private sector and the government, but amongst the private sector itself. Additionally, the Senators believe that the US government must do two things: protect its own systems, and leverage federal research institutions (like DARPA) to increase US cybersecurity innovation.
Interestingly, the Senators also call for an expansion of the Computer Fraud and Abuse Act (CFAA), the US anti-hacking statute. This expansion would increase penalties, create new offenses, and clarify illegal conduct. They see this expansion of the CFAA as part and parcel to effective cybersecurity legislation.
You can find the Politico source op-ed here.
***
I think both camps have advocated for greater threat-information sharing. Both camps will probably give DHS more cybersecurity power (though the proposals will vary with regard to how much power). Both camps agree that Congress needs to pass cybersecurity legislation. It looks like the argument comes down to how to facilitate that threat-information sharing, and just how much power DHS will have. Is it better to promulgate cybersecurity regulations (which Republicans characterize as heavy-handed), or is it better to incentive the private sector to increase their own cybersecurity and share threat information?
Whatever the case, you're going to see more news on cybersecurity legislation in the coming weeks as Senators bring their proposals to the floor.
Mike
This proposal would have done absolutely nothing to prevent the recent Stratfor hack: the threat was well known and endlessly shared; the firm was targeted by Russian infiltrators a year earlier and used that fact for marketing purposes; and the utility of encrypting credit card information (which Stratfor retained for years after customers cancelled their subscriptions) is security 101. So how do you deal with firms that simply don’t care or are too lazy or contemptuous of their customers? It certainly isn’t through more “sharing” but through massive penalties when the simplest safeguards are ignored.
Zach W.
Mike:
Thanks for your comment. Well said, and that’s a great point about Stratfor.
Playing devil’s advocate, maybe we deal with firms that simply don’t care by incentivizing them to care. That’s a pretty weak argument though; they should care regardless of incentives.
I’ve got a feeling that an incentive approach just won’t cut it.