Seeking Compromises on CyberSec BillsHearings Uncover Obstacles Measures Face
October is officially cybersecurity month, but don't tell that to the Washington politicos, who have spent much of January discussing ways to secure information systems and data.
Earlier in January, President Obama touted a series of cybersecurity legislative proposals, including sharing cyberthreat information and nationalizing data breach notification, running up to his State of the Union address on Jan. 20. This past week, Congress focused its spotlight on cybersecurity, holding a series of hearings on ways to make cyberspace safer for government, business and Americans.
It's a matter of concentrating on the shared goal of trying to reduce these cyber-attacks.
Even the Senate Judiciary Committee's confirmation hearing on Loretta Lynch to be attorney general addressed cybersecurity, when the nominee called for a tough approach against cybercrime. "We need to up our game in terms of cyber activity [and] have the resources to keep up with cybercrimes in terms of detection and even before the apprehension of cybercriminals," Lynch testified.
This attention in Congress means that lawmakers are more serious than ever about enacting cybersecurity legislation. Congress hasn't always acted swiftly on significant IT security bills. It took a half-dozen years to reform the law that governs federal government IT security - Federal Information Security Management Act - when late last year Congress enacted a bill with a similar moniker: the Federal Information Security Modernization Act.
Hurdles to Be Cleared
It shouldn't take Congress another six years to pass other critical IT security legislation, but as revealed at several of this week's hearings, obstacles remain.
At the Jan. 28 hearing of the Senate Homeland Security and Governmental Affairs Committee, Chairman Ron Johnson, R-Wis., asked witnesses - mostly industry experts - what barriers they saw in getting cyberthreat information sharing legislation enacted.
Gregory Nojein, senior counsel at the advocacy group Center for Democracy and Technology, responded to the National Security Agency's bulk collection program. Congress last year tried, and failed, to enact legislation - the USA Freedom Act - to curtail the NSA program to collect the metadata from communications.
"You've got to do that before you get to cybersecurity information sharing because everyone knows that some of this information sharing in the cybersecurity program is going to end up at the NSA," Nojein said. "Unless you do something to reform that, I don't think you could do the cyber [sharing] first."
Another impediment to passing cyberthreat information sharing legislation is providing sufficient privacy protections. Nojein and other privacy advocates want an information-sharing bill that requires businesses to strip personally identifiable information from any data before it's shared. President Obama's proposed information-sharing legislation would require a reasonable effort by businesses to excise data that could be used to identify specific individuals before sharing the data.
But Scott Charney, Microsoft corporate vice president for trustworthy computing, told Johnson that situations exist in which some PII, such as IP addresses, should be shared. "The way to solve this problem, generally, about using PII is to make sure that when the government wants to get personally identifiable information, it uses the transparent, judicial procedures already in place, with which we're all familiar, and balances the competing interest between government access to PII and privacy."
Another obstacle: how to provide liability protection for businesses that share cyberthreat information. Businesses don't want to be penalized for disclosing cyberthreat sharing information if it would expose practices that could result in a civil lawsuit or criminal complaint. Marc Gordon, executive vice president and CIO for American Express, says the Obama proposal fails to furnish liability protection when businesses share cyberthreat information with each other if they don't go through a government-operated hub. Companies, he says, don't like proposals that would, for example, require audits as a condition of getting liability protection. Others see them as incentives to ensure companies act in good faith when sharing cyberthreat information.
Nationalizing Breach Notification
Also, legislation to nationalize data breach notification faces some similar obstacles (see Barriers to Passing Federal Breach Notification Bill). Most industry groups favor a single, national law because it would pre-empt the existing 47 state statutes, making compliance simpler for businesses, because they would only need to comply with a single law. It's a point the president made in his national data breach notification bill, as well as by federal lawmakers who over the years have introduced national notification legislation. But privacy and civil liberties advocates contend these national legislative proposals that pre-empt state laws would weaken protections guaranteed by some state statutes. For instance, CBT's Nojein points out, California's data breach notification law protects medical records, something the president's and other lawmakers' plans would void.
It's doubtful that a majority of lawmakers feel as strongly about usurping state laws - and the protections they furnish - as do the privacy advocates, but there could be enough legislators to block passage of a national bill, especially in the Senate, where 60 votes are needed to halt a filibuster.
Still, having barriers to passage doesn't mean they cannot be surmounted. With highly publicized breaches these past couple of years, Congress wants to enact new cybersecurity laws, and lawmakers may be more willing to compromise than they have in the past. After all, FISMA reform remained bottled up in Congress for years, in part, because some key lawmakers didn't want to give the Department of Homeland Security authority over civilian agencies' implementations of cyber protections. With breaches mounting, lawmakers agreed on compromise language that reiterated the Office of Management and Budget's key policy role in government IT security while codifying DHS's powers to enforce those policies.
Plus, Republicans who control Congress want to prove they can govern, and cybersecurity is a realm where they're in general agreement with the Democratic president. "It's a matter of concentrating on the shared goal of trying to reduce these cyber-attacks," Johnson told reporters following the hearing, according to the news site The Hill. "So I'm actually encouraged by it."
Sen. Tom Carper of Delaware, the panel's ranking Democrat who sponsored FISMA reform last year, said he intends to introduce "sensible" cyberthreat-sharing legislation, perhaps in conjunction with Johnson.
Look for lawmakers to compromise on the latest cybersecurity-related legislation. It will take some time, but likely not another six years.