Crossroads Blog | CYBER SECURITY LAW AND POLICY

Criticism, Legislation

More On CSA And Secure IT

Quick reminder:

CSA=Cybersecurity Act of 2012, a cybersecurity bill from Senate Democrats that would put cybersecurity responsibility in the DHS' hands.  The bill has a more regulatory nature.

Secure IT is a cybersecurity bill proposed by Senate Republicans that would rely on private sector incentives and information-sharing.  It has a decidedly less regulatory tone.

***

On March 6th, 2012, Michael O'Connell made a cybersecurity proposal for FederalNewsRadio.  Specifically, O'Connell thought that the Senate should combine the best portions of the CSA and Secure IT in order to create a new comprehensive bill.

What are the best parts of Secure IT?  The bill's privacy protections, methods for government receipt of cybersecurity information, and focused definitions of critical infrastructure. 

What's the problem with Secure IT?  The security measures are all voluntary. 

As for the CSA, the bill's strength comes from its mandatory nature.  The article didn't mention any weaknesses, but I would have to guess the imprecise nature of the CSA's critical infrastructure definition would make the list.

***

On March 6th, Leslie Harris wrote for The Huffington Post on the NSA's role in Secure IT.  I was initially surprised when Secure IT gave the NSA a limited role in cybersecurity; Sen. McCain had previously argued that the NSA deserves a greater role when he criticzed the CSA.  However, the article notes that the devil is in the details, and picks up on something I missed: the NSA might have a greater role through the bill's information sharing provisions.

Now, the NSA definitely does not have the ability to oversee private computer networks under Secure IT.  However, the article notes that "SECURE-IT Act authorizes sharing that goes well beyond what is truly necessary to describe a cyber threat or to engage in self-defense and includes anything that would foster 'situational awareness of the United States security posture.'"

By contrast, the CSA limits cyber-threat sharing to "cyber threat indicators for intelligence surveillance purposes."  The author believes that Secure IT has no such limitation.

The author is troubled by the absence of this limitation and believes that personal information, not related to cybersecurity, could fall into the "situational awareness" category.  In this sense, the NSA could get its hands on this personal information through the broad and potentially unlimited information sharing provisions of Secure IT.

You can find the HuffPo article here.

***

Along the same lines as the HuffPo article, Joseph Menn reported for Reuters that civil liberties groups have slammed Secure IT for possible civil liberties violations.  Notably, the article quoted an ACLU spokeswoman as saying "This is a privacy nightmare that will eventually result in the military substantially monitoring the domestic, civilian Internet."

Secure IT's information-sharing language is apparently so broad that Jerry Brito (of George Mason Law) said that the NSA could drive a freight train through it.

Interesting point in the bottom of the article: a Senate aide said that the Senate probably won't pass either Secure IT or the CSA.  Rather, the two sides will probably compromise in the coming weeks.

***

On March 6th, Mathew J. Schwartz wrote for InformationWeek Security on cybersecurity legislation.  The article quoted a cyber-expert from Kaspersky Labs: 

"After Stuxnet, I got quite involved with the U.S. critical infrastructure, and what's very clear to me is that unless things are mandated by D.C., nothing is changing . . . These companies are being run for the bottom line, and there's simply no budget for anything that's not being mandated by D.C."

***

Sens. Rockefeller, Liberman, Collins, and Feinstein wrote an op-ed for CNet on March 6th.  You can probably guess the content of the op-ed; it was in favor of the CSA. 

***

John C. Dvorak wrote for PCMag.com on the CSA.  In his article, Dvorak compared the CSA to Sarbanes-Oxley, and argued that the CSA will do nothing to protect  companies from international hacking, but will rather create a complicated need for compliance.

Leave a Reply