Crossroads Blog | CYBER SECURITY LAW AND POLICY

Criticism, Legislation

Secure IT

Finally found a text of the recent Republican cybersecurity proposal, the Secure IT Act

***

On March 5th, 2012, Brendan Sasso reported for The Hill on Secure IT.  According to the article, it looks like two GOP representatives (Reps. Mary Bono Mack and Marsha Blackburn) will introduce Secure IT in the House this week.  A spokesman for Rep. Mack argued that Secure IT is better than the "slew of new federal regulations [that] could stifle innovation and actually undermine cybersecurity efforts."

A White House spokeswoman had a great retort:  "Resorting to half measures, such as legislation that relies on corporations to share more information for their own benefit . . . is not sufficient to address our nation’s critical infrastructure vulnerabilities."

I wonder if the introduction of Secure IT means that Republicans are giving up on CISPA and the PrECISE Act, two earlier proposals that had relatively strong bi-partisan support in the House.

You can find The Hill article here.

***

On March 5th, Molly Bernhart Walker also reported for FierceGovernmentIT on Secure IT.  The article explained that Secure IT has private companies share cyber-threat information with existing cybersecurity entities (like the DOD cyber crime center, US CyberComm's joint ops center, and the intel community's incident response center) rather than creating a new entity for threat-information sharing.  Again, the CSA would put cybersecurity responsibility in DHS' hands.

Sen McCain explained: "A primary objective of [Secure IT] is to enter into a cooperative information sharing relationship with the private sector, rather than an adversarial one rooted in prescriptive federal regulations . . . ."

The FierceGovernmentIT article made a good point: Secure IT emphasizes strengthening the current elements of the US cybersecurity establishment rather than "introduc[ing] radical changes."  That ease of implementation means that Secure IT has something going for it.

You can find the FierceGovernmentIT article here.

***

On March 5th, the Editorial Board for Bloomberg wrote an op-ed on cybersecurity legislation.  I really liked this op-ed, and thought it summarized the debate quite nicely.

Noting a string of cyber-attacks, the op-ed explained that cybersecurity is a national problem that requires quick action, but not overreaction.  Arguing that the CSA was a "noble start", the editors took issue with  the controversial critical infrastructure definition; that definition is too narrow.  However, the CSA has a lot going for it.  The CSA allows companies to devise their own ways to meet federal security standards.  Moreover, the CSA provides for information-sharing between the private and government sectors.

Secure IT also has some things going for it, but it has a few more problems.  Companies might bite on incentives and increase their own cybersecurity, but the op-ed pointed out how expensive cybersecurity really is.  Would companies really want to foot the whole bill just because of some incentives?

In the end, the editors came out in favor of the CSA, and made two recommendations that make a lot of sense: broaden the definition of critical infrastructure and allow the NSA to share threat information (while still giving DHS ultimate authority). 

You can find the Bloomberg op-ed here.

***

Paul Rosenzweig wrote an in-depth blog post for Lawfare on Secure IT's information-sharing provisions, check it out here.  

Leave a Reply