Cyber policy snared in legislative tangle
In late March, a key member of the House Oversight and Government Reform Committee introduced a bill to overhaul how agencies secure their information technology systems. That same week, a senior member of the House Homeland Security Committee introduced a related bill designed to get tougher on international cyber crime. It was sent to the Foreign Affairs, Ways and Means, and Financial Services committees for their concurrent consideration.
On the other side of Capitol Hill, a senator introduced an international cyber crime bill that went to the Senate Foreign Relations Committee. That happened the same week that the Senate Commerce, Science and Transportation Committee approved and sent to the Senate floor sweeping, comprehensive legislation focused on establishing a public/private partnership for securing critical public and private infrastructure.
Confusing? It certainly seems so. Scattershot? That’s possible, too. Unexpected? Hardly.
That flurry of legislative activity during the week of March 22 shows the sudden and significant rise in the attention members of Congress are paying to cybersecurity. But the sheer number of proposals — the previously bills mentioned are just a few of many cybersecurity-related measures — also illustrates the complexities and jurisdictional layers of crafting a policy to secure U.S. cyberspace.
Meanwhile, the majority of the nation’s IT infrastructure, which includes some of the networks and systems most vulnerable to cyberattack, does not belong to the federal government. It belongs to private-sector companies, such as Verizon, AT&T, Cisco Systems and T-Mobile, and is therefore a long way from the government’s immediate oversight.
Congress’ organizational structure, in which committees are set up to deal with specific industries and regulatory agencies, might explain why no single center of power has overarching control over computer security, which cuts across everything from the energy and financial sectors to water utilities and industrial chemicals.
“I don’t see a center of gravity right now, and I think that’s part of the problem,” said Robert Dix, vice president of government affairs at Juniper Networks, who previously was a senior congressional staff member. “I think they’re well-intended people, but there’s a lot of jurisdictional land-grabbing going on around this topic.”
The consensus in Washington is that the government and industry urgently need to do a better job of securing their IT, and many argue that clearly articulated legislative fixes are needed. However, when the discussion shifts from truisms, such as IT security is important, to the practical writing of law, many fault lines appear.
As a result, several House and Senate panels are reviewing a slew of computer-security related bills. The measures focus on everything from data breaches and new electricity delivery technologies to securing federal agencies’ systems and bolstering research and development.
More than 35 cybersecurity-related measures are percolating in Congress, said Melissa Hathaway, former acting senior director of cyberspace for the Obama administration, who now runs Hathaway Global Strategies and has advisory roles at several IT companies. She tallied the measures as part of a legislative analysis for a cybersecurity program at the Harvard Kennedy School of Government's Belfer Center for Science and International Affairs.
Hathaway said she doesn’t think members of Congress or interest groups realize the extent of the activity. “If people start to see how many bills have been introduced, then it might be easier to join on the ones that you think are more important,” she said.
Technology-related industries, defense contractors, researchers, academics and government agencies all have much at stake in any new IT security legislation. New laws could affect business models, massive government contracts, grants and billions in federal IT budgets.
In addition, some aspects of legislating computer security are nuanced and unique to the Digital Age. For example, an issue that is intrinsic to many legislative proposals is how to increase cooperation between government and the industries that own much of the country’s critical IT infrastructure.
Meanwhile, members of Congress repeatedly say new rules shouldn’t stifle IT innovation, which is seen as a key economic engine. “Certainly, any legislation or regulation that comes out should not be specific as to the kinds of technology but more to the functions,” said Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security.
Industry and privacy advocates are particularly sensitive to how much power, during a national emergency, the government would have over privately owned systems that are considered critical infrastructure. An earlier version of the comprehensive bill that cleared the Senate Commerce Committee in March was reworked after business and advocates raised alarms. Some decisions that lawmakers must make in crafting comprehensive legislation concern the balance of powers and how much regulation industry should face.
James Lewis, director and senior fellow of the Center for Strategic and International Studies’ technology and public policy program and a member of the Commission on Cybersecurity for the 44th Presidency, said the White House doesn’t want Congress telling it what to do, and industry isn’t interested in getting additional mandates or requirements.
“So you’re going to have two very powerful players trying to shape the legislation as it moves forward,” Lewis said.
Many Bills, Different Approaches
Some of the proposed measures have specific aims, such as securing the smart grid — an IT-enabled, next-generation power distribution system designed to increase efficiency — or levying requirements on how companies must notify customers if someone breaches their personal data. Others try to take a much more comprehensive approach to the problem.
However, even the most comprehensive proposals represent a perspective that aligns with the jurisdictional focus of a bill’s sponsor.
For example, the high-profile comprehensive proposal that has cleared the Commerce Committee, sponsored by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), focuses on using the Commerce Department to tackle the cybersecurity problem.
Meanwhile, another comprehensive proposal poised to be introduced by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee, respectively, would likely focus more on a Homeland Security Department-focused approach to securing cyberspace.
The Lieberman-Collins bill had not been introduced by press time, although the senators outlined their respective plans for the measure last fall. Senate staff members are gathering feedback on the senators' strategy from interested groups.
Lewis said he’s pretty happy overall with the various comprehensive Senate proposals that he has seen because they include provisions that deal with almost all of the CSIS cybersecurity commission’s recommendations in one form or another.
However, Lewis said it’s still not clear how the various bills proposed in the Senate will fit together. “There’s no [one] single bill yet, nor is there a matching bill on the House side,” Lewis said. He said he believes there is some desire on the Senate side to try to merge the bills into a single package.
One rift that was evident last fall in the legislative plans from Lieberman and Collins was the role the White House should play in federal cybersecurity efforts. Collins has long argued against a cyber coordinator at the White House, preferring instead to focus on beefing up DHS’ cybersecurity capabilities. Lieberman called for a White House executive who would be accountable to Congress.
In general, lawmakers are united in their disdain for the organizational structure of the White House's cyber coordinator position. Numerous proposals, including a measure introduced recently by longtime cybersecurity leader Rep. James Langevin (D-R.I.), would require the job to receive Senate confirmation.
However, not everyone thinks so much attention should be focused on the organizational structure of the cyber coordinator position.
“We’re spending a lot of time talking about whether the cyber coordinator should be appointed or confirmed or whatever,” Dix said. “I’m sure that’s important, but what we’re not doing — at least that I can see evidence of outwardly or even within the organizations that I work with — is a concentrated and comprehensive effort to understand what are the laws that need to change or be updated.”
Dix said what’s really needed is a set of priorities — perhaps devised by a working group that would include congressional staff members and stakeholders — for dealing with everything from securing desktop PCs to the smart grid.
Can a Cyber Bill Become Law?
Industry, privacy and civil liberties groups have several common interests regarding cybersecurity legislation, said Gregory Nojeim, senior counsel and director of the Project on Freedom, Security and Technology at the Center for Democracy and Technology. For example, everyone wants the rules to be clear, he said.
However, forging a comprehensive solution that satisfies all parties is difficult and might be impossible. For example, the version of the Rockefeller-Snowe bill as approved by the Commerce Committee in March was rewritten during the course of a year after privacy advocates, industry and other interested parties submitted their input. However, it still didn’t get final support from all those groups.
Nojeim said the newer version of the Rockefeller-Snowe bill was a dramatic improvement from the first version. However, Nojeim said his group still wants the bill to contain better definitions of presidential powers that would be applicable during a cybersecurity emergency.
TechAmerica, the Business Software Alliance, and the Information Technology Industry Council are still worried about provisions in that bill that would levy certification requirements on cybersecurity professionals who work on critical infrastructure systems.
Meanwhile, others say a more coordinated approach among different parts of the government would be helpful.
“There are several aspects of current legislation that are being worked on in various places, and whether it’s within agencies or interagency processes or the Office of Management and Budget or the Hill, we’d like to see that those at least get coalesced and coordinated a little better,” said Liesyl Franz, vice president of information security and global public policy at TechAmerica.
Hathaway said Congress or the executive branch could make the first move to increase collaboration on the topic.
“I do know that there’s some work being done in pockets, but it needs to really be done in a much more thoughtful strategy, especially because I think it’s difficult to get to legislation and get it though the system,” she said. “I think you’re going to have to start to really address what is needed now and work as a team to get that done.”
Lewis recalled that a year ago, Senate Majority Leader Harry Reid (D-Nev.) had discussed a consolidated bill, but the feeling then was that Congress needed more time to sort through the issues.
Observers don’t rule out the possibility of a bill becoming law this year, but many think it’s unlikely because other important items on the administration’s legislative agenda are lined up ahead of it. More to the point, computer security isn’t likely to drive voters one way or another in an election year, Purdue’s Spafford said. Lawmakers face more pressing political issues.
“This may be a building year,” Nojeim agreed.
TechAmerica’s Franz said cybersecurity traditionally hasn’t been a partisan issue, so she said she hopes that if something doesn’t pass this session, the work that has been accomplished would carry over into the next Congress. One positive sign for something happening in the next session sooner rather than later is that Rockefeller, Snowe, Lieberman and Collins don’t have to run for re-election this fall.
“I think they’re serious about trying to get something passed," Lewis said. "Whether they’ll be able to do it is another matter. The problem isn’t going to go away, so if they don’t do it this year, they’ll just have to do it next year.”
Ben Bain is a reporter for Federal Computer Week.