In response to the growing cyber threat, Congress has been busy drafting legislation. Last year alone our representatives introduced more than 40 bills and resolutions with provisions relating to cyber security. In both the House and the Senate, and across party lines, members and their staff are educated, engaged, concerned and active. Change is in the air. Unfortunately, that is as far as it has gotten. Despite the growing threat, it has been over a decade since Congress sent a major cyber bill to the President. What follows are the most significant areas under consideration.
In 2002, Congress placed federal executive agencies under the requirements of the Federal Information Security Management Act. Under FISMA’s compliance-based standards, federal agencies spend $15 billion annually on IT security. Yet, according to the Government Accountability Office, most federal agencies remain unable to track their cyber security goals and objectives. In response, the House recently passed the Federal Information Security Amendments Act of 2013 and sent it along to the Senate. Among other things, the bill would require federal agencies to conduct vulnerability assessments and penetration tests; and to use automated, continuous monitoring when possible to “detect, report, respond to, contain and mitigate incidents.” Although these added requirements would cost agencies a total of $150 million a year, no new funds are authorized.
Critical Infrastructure Protection
There is a longstanding debate about whether critical infrastructure security should be voluntary or mandatory. Earlier this year, President Obama issued an Executive Order directing the National Institute of Standards and Technology to develop a framework for these companies to voluntarily adopt. Step one is to gain adoption through government incentives. Should that approach fail, the Order gives the nod to regulatory agencies to consider appropriate mandates. The Senate’s recently introduced Cybersecurity Act of 2013, if passed into law, would codify only the voluntary aspects of that approach. This marks a significant departure from last year’s proposed Cybersecurity Act, which focused on developing mandatory risk-based cyber security performance requirements.
The most extensive information sharing bill is CISPA, the Cyber Intelligence Sharing & Protection Act. This bi-partisan bill passed House vote in 2012 and 2013, but the Senate has refused to take it up, stating that it lacks sufficient privacy protections. Although the latest bill includes 11 substantive amendments aimed at allaying these concerns, it continues to lack support from the Senate, the White House and the civil liberties and privacy community. As it currently stands, the bill seeks to encourage greater information sharing from the private sector to the government, with appropriate limits on the receipt, retention, use and disclosure of cyber threat information associated with specific persons. The bill would provide criminal and civil immunity for certain private sector security efforts, and also would promote better sharing by the U.S. intelligence community.
Data Breach Notification
It has been 10 years since the State of California passed the country’s first data breach notification law. Since that time, nearly every state has followed, leading to a patchwork of varying obligations for notifying individuals and the government about the actual and potential loss of personally identifiable information. Congress has focused on this problem in the past, seeking to create a single data breach notification statute to serve as the harmonized law of the land. However, disagreements have flared not only over the issue of States’ rights, but also as to which State law serves as the best model.
Private Sector Countermeasures
The private sector has the resources, capabilities, reach and speed to engage more directly in support of the government’s traditional roles to detect, attribute and respond to cyber threat actors. Clear legal authorities, however, remain lacking. Last year, the Senate’s Cybersecurity Act introduced a provision that would allow a private sector entity to operate, or approve the operation of, “countermeasures” in which the good guys modify, redirect or block information. A number of groups thought the bill was too vague as to what actual countermeasures would be allowed or prohibited, and for now the dialogue continues.
Research and Development
This year, the House also passed the Cybersecurity Enhancement Act, which would require additional research into access control management, systems assurance, industrial control systems security, and supply chain management. Meanwhile, the Senate’s Cybersecurity Act of 2013 would require a federal R&D plan that, among other things, seeks to establish new Internet protocols that stress security and include the ability to determine the origin of messages transmitted over the Internet. The Senate bill also would seek new ways to guarantee individual privacy; verify third-party software and hardware; address insider threats; and better secure cloud computing storage and wireless transmissions.
Additional areas of legislative focus include government procurement, workforce development, promoting international norms and fostering public/private collaboration. Still, in terms of a first priority, perhaps what we really need is for NIST to issue Best Practices for Congress and the President to Pass a Cyber Law. Just a closing thought.
NOTE: Portions of this blog appeared previously in my monthly cyber column in Security magazine.