Analysis: Dim Prospects for Cybersecurity Law in 2011Evaluating the State of Infosec Legislation in Congress
As the jingle explains, "I'm just a bill, on Capitol Hill. I will remain a bill until they decide to make me a law."
Earlier in the summer, my children sat in the gallery as I testified before the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. Even better than the School House Rock episode, they received a civic lesson by watching their mom. Recently they asked me, 'When will we get legislation? Will one of these bills become a law?' The explanation wasn't as easy as the cartoon gives.
As the 112th Congress returned from summer recess, I tallied up all of the pending cybersecurity bills. The number is 32, excluding the intelligence and defense authorization bills. The wide range of topics contained in these bills includes: proposed changes to organizational responsibilities; instituting compliance and accountability mechanisms; implementing data accountability standards and reporting requirements for personal data privacy; establishing guidelines for cyber surveillance with technologies like GPS; assuring data breach handling and notification responsibility in the event of identity theft; enhancing cybersecurity education; advancing research and development grants; evaluating critical electric infrastructure protection and conducting vulnerability analysis of other critical infrastructures; expanding international cooperation on cybercrime; and addressing procurement, acquisition and supply-chain integrity. Many of these topics were also debated in the 111th Congress.
(Article continues after table.)
Yet, there are even more items not reflected in this litany of proposals that the administration would like addressed. The president's package was forwarded for consideration by Congress on May 12. It reflects the efforts of an interagency, consensus-based system and a diversity of views across six proposals. Two of those proposals have been considered in Congress over the past several years: Amending the Federal Information Security Management Act from a static compliance-based system to one of continuous monitoring; and providing a federal umbrella to unify guidance of the 47 disparate state data breach laws.
The other four proposals contained in the administration's package represent new legislative proposals. Briefly, they seek to (1) update the Computer Fraud and Abuse Act by stiffening penalties for breaches and theft of information; (2) grant new authorities for the Department of Homeland Security by enabling the deployment of intrusion prevention systems in the .gov domain and allowing DHS to turn to Internet service providers to conduct that mission on behalf of the government, with liability relief; (3) establish critical infrastructure regulation, set mandatory standards for covered critical infrastructures and an audit- and compliance-regime that requires private-sector entities to attest to cybersecurity risk-management plans; and (4) prevent restrictions on data center locations such that states would be prohibited from specifying that a data center be located in a particular location.
Clearly, cybersecurity remains a topic of interest and the sheer number of bills highlights the cross-jurisdictional interest of the subject. The 112th Congress has an opportunity to drive a new legislative conversation and address the shortfalls in our laws. But it won't be easy. There are competing views on how to position cybersecurity legislation; the Senate is pushing for an omnibus bill that comprises elements from each of the bills developed by its key committees, whereas the House of Representatives desires incremental reform via the introduction and passage of serial bills. This will be compounded by the work of the Joint Select Committee on Deficit Reduction, which is charged with developing a long-term plan to reduce the federal government's debt by at least $1.5 trillion over the next 10 years. As with nearly all other ongoing government programs, cybersecurity initiatives will face budget pressures and possibly funding cuts. Going forward, a premium will be placed on developing cost-neutral programs.
Where are the anchor points and areas where Congress could drive progress?
First, as the private and public sectors move toward rapid adoption of cloud computing, Congress should modernize the laws that are not keeping pace with today's digital environment, including the Computer Fraud and Abuse Act and Electronic Communications and Privacy Act . Our law enforcement community must be assured the continued ability to gather evidence and track criminals in the 21st century digital environment. The legislation of Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., (see Leahy Introduces Data Privacy Bill) along with the administration's proposal, outline the key areas for reform in these two laws.
Second, a national data breach umbrella is needed. The media reports how our insecure computers are being infected every day. It is not just our personal privacy that has been exposed through breaches at the NASDAQ Stock Market, Citigroup's e-mail system or Sony's PlayStation Network, but our government and corporate data is copied illegally on a regular and persistent basis.
There are over a dozen bills that recognize the need for data breach reform (see Senate Panel OKs National Breach Notification Bill). The debate will clarify reporting requirements and identify what data fall within the law. For example, many state data breach laws are limited to personal identifiable information (e.g., birth date, Social Security number, credit card data). Will a national umbrella be extended to include notification procedures of proprietary or other sensitive data (e.g., weapon systems, RSA SecureID)? Either way, normalizing the disparate reporting requirements will streamline processes and likely reduce administrative costs and legal fees. It may also facilitate greater transparency on the breadth and frequency of breaches of our enterprises.
Third, FISMA should be updated from information security requirements that are compliance driven (checklist) to ones that are performance based. The administration's proposal builds upon the State Department's Risk Scoring tool, which measures its systems on a continuous basis against known vulnerabilities and offers meaningful feedback in the form of actionable remediation techniques to the operators of the State Department's global networks (see Beyond FISMA: State Dept.'s Next Gen Metric). It also provides a framework of high-level feedback to senior managers to ensure accountability.
Sen. Thomas Carper, D-Del., and Rep. Diane Watson, D-Calif., introduced bills in the 111th Congress to reform FISMA. Watson retired from Congress, but Carper carried forward his ideas in the 112th Congress and these views are contained in the Cybersecurity and Internet Freedom Act of 2011 (S. 413), which potentially will be rolled into the Cyber Security and American Cyber Competitiveness Act of 2011 (S. 21). Some argue that this proposal is not cost neutral. The Congressional Budget Office conducted a study that suggests this reform may actually increase information technology expenditures. But can we really afford not to continuously monitor our enterprises? If we use the State Department as our test agency, it would suggest that cost avoidance and risk reduction can be simultaneously realized.
Finally, while not a legislative proposal, each member of Congress could use their respective reach across America to hold meetings with their constituents and begin a national conversation regarding cybersecurity in their district. Roundtable discussions with industry could highlight local problems, provide insight from national resources (e.g., FB, DHS and Department of Commerce), and promote learning among local grass-roots efforts that are initiated by businesses who can no longer tolerate being victimized by criminals and foreign governments alike. Local schools and libraries could benefit from plain talk about basic computer hygiene and what it means to be a cyber citizen. Members could choose to build upon DHS's "stop-think-connect" campaign or use materials from the National Cyber Security Alliance's StaySafeOnline.org.
The next generation of digital natives, like my sons, is being asked to bring thumb-drives and netbooks to and from school. Can we challenge them to be a part of the solution and help drive innovation, creativity and make it more difficult for criminals to threaten our homes, schools, businesses, and nation? The small investment of time in each Congressional district may prove to have a greater near-term impact than the previous legislative proposals.
If Congress focuses its efforts on the areas where members appear to agree reform is needed, then it is possible that a cybersecurity bill will finally become a law. The proposals, if adopted, will make incremental change and a small difference in our cybersecurity posture. Bolder steps are needed but are unlikely to be taken given the combination of this fiscally constrained environment, politically divided Congress and the upcoming presidential election cycle.
Returning to the jingle in School House Rock, I fear we will continue to watch the bills "sit here and wait, while a few key congressmen sit and debate. It's not easy to become a law." Of course, I would like to be wrong and hope we can gain consensus on the urgency of the situation and move our country toward making progress on programs and reducing the information security risk of the nation.
Melissa E. Hathaway, president of Hathaway Global Strategies and senior adviser at the Harvard Kennedy School's Belfer Center, led President Obama's Cyberspace Policy Review as National Security Council acting senior director for cyberspace. Hathaway, who also led the development of the Comprehensive National Cybersecurity Initiative in the Bush White House, is a member of GovInfoSecurity.com's Board of Advisers.