Cyber policy snared in legislative tangle

Cybersecurity remains a more pressing concern among experts than lawmakers, who have 35 cyber-related proposals and counting weaving their way through the legislative process.

In late March, a key member of the House Oversight and Government Reform Committee introduced a bill to overhaul how agencies secure their information technology systems. That same week, a senior member of the House Homeland Security Committee introduced a related bill designed to get tougher on international cyber crime. It was sent to the Foreign Affairs, Ways and Means, and Financial Services committees for their concurrent consideration.

On the other side of Capitol Hill, a senator introduced an international cyber crime bill that went to the Senate Foreign Relations Committee. That happened the same week that the Senate Commerce, Science and Transportation Committee approved and sent to the Senate floor sweeping, comprehensive legislation focused on establishing a public/private partnership for securing critical public and private infrastructure.

Confusing? It certainly seems so. Scattershot? That’s possible, too. Unexpected? Hardly.

That flurry of legislative activity during the week of March 22 shows the sudden and significant rise in the attention members of Congress are paying to cybersecurity. But the sheer number of proposals — the previously bills mentioned are just a few of many cybersecurity-related measures — also illustrates the complexities and jurisdictional layers of crafting a policy to secure U.S. cyberspace.

Meanwhile, the majority of the nation’s IT infrastructure, which includes some of the networks and systems most vulnerable to cyberattack, does not belong to the federal government. It belongs to private-sector companies, such as Verizon, AT&T, Cisco Systems and T-Mobile, and is therefore a long way from the government’s immediate oversight.

Congress’ organizational structure, in which committees are set up to deal with specific industries and regulatory agencies, might explain why no single center of power has overarching control over computer security, which cuts across everything from the energy and financial sectors to water utilities and industrial chemicals.

“I don’t see a center of gravity right now, and I think that’s part of the problem,” said Robert Dix, vice president of government affairs at Juniper Networks, who previously was a senior congressional staff member. “I think they’re well-intended people, but there’s a lot of jurisdictional land-grabbing going on around this topic.”

The consensus in Washington is that the government and industry urgently need to do a better job of securing their IT, and many argue that clearly articulated legislative fixes are needed. However, when the discussion shifts from truisms, such as IT security is important, to the practical writing of law, many fault lines appear.

As a result, several House and Senate panels are reviewing a slew of computer-security related bills. The measures focus on everything from data breaches and new electricity delivery technologies to securing federal agencies’ systems and bolstering research and development.

More than 35 cybersecurity-related measures are percolating in Congress, said Melissa Hathaway, former acting senior director of cyberspace for the Obama administration, who now runs Hathaway Global Strategies and has advisory roles at several IT companies. She tallied the measures as part of a legislative analysis for a cybersecurity program at the Harvard Kennedy School of Government's Belfer Center for Science and International Affairs.

Hathaway said she doesn’t think members of Congress or interest groups realize the extent of the activity. “If people start to see how many bills have been introduced, then it might be easier to join on the ones that you think are more important,” she said.

Technology-related industries, defense contractors, researchers, academics and government agencies all have much at stake in any new IT security legislation. New laws could affect business models, massive government contracts, grants and billions in federal IT budgets.

In addition, some aspects of legislating computer security are nuanced and unique to the Digital Age. For example, an issue that is intrinsic to many legislative proposals is how to increase cooperation between government and the industries that own much of the country’s critical IT infrastructure.

Meanwhile, members of Congress repeatedly say new rules shouldn’t stifle IT innovation, which is seen as a key economic engine. “Certainly, any legislation or regulation that comes out should not be specific as to the kinds of technology but more to the functions,” said Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security.

Industry and privacy advocates are particularly sensitive to how much power, during a national emergency, the government would have over privately owned systems that are considered critical infrastructure. An earlier version of the comprehensive bill that cleared the Senate Commerce Committee in March was reworked after business and advocates raised alarms. Some decisions that lawmakers must make in crafting comprehensive legislation concern the balance of powers and how much regulation industry should face.

James Lewis, director and senior fellow of the Center for Strategic and International Studies’ technology and public policy program and a member of the Commission on Cybersecurity for the 44th Presidency, said the White House doesn’t want Congress telling it what to do, and industry isn’t interested in getting additional mandates or requirements.

“So you’re going to have two very powerful players trying to shape the legislation as it moves forward,” Lewis said.

Many Bills, Different Approaches

Some of the proposed measures have specific aims, such as securing the smart grid — an IT-enabled, next-generation power distribution system designed to increase efficiency — or levying requirements on how companies must notify customers if someone breaches their personal data. Others try to take a much more comprehensive approach to the problem.

However, even the most comprehensive proposals represent a perspective that aligns with the jurisdictional focus of a bill’s sponsor.

For example, the high-profile comprehensive proposal that has cleared the Commerce Committee, sponsored by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), focuses on using the Commerce Department to tackle the cybersecurity problem.

Meanwhile, another comprehensive proposal poised to be introduced by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee, respectively, would likely focus more on a Homeland Security Department-focused approach to securing cyberspace.

The Lieberman-Collins bill had not been introduced by press time, although the senators outlined their respective plans for the measure last fall. Senate staff members are gathering feedback on the senators' strategy from interested groups.

Lewis said he’s pretty happy overall with the various comprehensive Senate proposals that he has seen because they include provisions that deal with almost all of the CSIS cybersecurity commission’s recommendations in one form or another.

However, Lewis said it’s still not clear how the various bills proposed in the Senate will fit together. “There’s no [one] single bill yet, nor is there a matching bill on the House side,” Lewis said. He said he believes there is some desire on the Senate side to try to merge the bills into a single package.

One rift that was evident last fall in the legislative plans from Lieberman and Collins was the role the White House should play in federal cybersecurity efforts. Collins has long argued against a cyber coordinator at the White House, preferring instead to focus on beefing up DHS’ cybersecurity capabilities. Lieberman called for a White House executive who would be accountable to Congress.

In general, lawmakers are united in their disdain for the organizational structure of the White House's cyber coordinator position. Numerous proposals, including a measure introduced recently by longtime cybersecurity leader Rep. James Langevin (D-R.I.), would require the job to receive Senate confirmation.

However, not everyone thinks so much attention should be focused on the organizational structure of the cyber coordinator position.

“We’re spending a lot of time talking about whether the cyber coordinator should be appointed or confirmed or whatever,” Dix said. “I’m sure that’s important, but what we’re not doing — at least that I can see evidence of outwardly or even within the organizations that I work with — is a concentrated and comprehensive effort to understand what are the laws that need to change or be updated.”

Dix said what’s really needed is a set of priorities — perhaps devised by a working group that would include congressional staff members and stakeholders — for dealing with everything from securing desktop PCs to the smart grid.

Can a Cyber Bill Become Law?

Industry, privacy and civil liberties groups have several common interests regarding cybersecurity legislation, said Gregory Nojeim, senior counsel and director of the Project on Freedom, Security and Technology at the Center for Democracy and Technology. For example, everyone wants the rules to be clear, he said.

However, forging a comprehensive solution that satisfies all parties is difficult and might be impossible. For example, the version of the Rockefeller-Snowe bill as approved by the Commerce Committee in March was rewritten during the course of a year after privacy advocates, industry and other interested parties submitted their input. However, it still didn’t get final support from all those groups.

Nojeim said the newer version of the Rockefeller-Snowe bill was a dramatic improvement from the first version. However, Nojeim said his group still wants the bill to contain better definitions of presidential powers that would be applicable during a cybersecurity emergency.

TechAmerica, the Business Software Alliance, and the Information Technology Industry Council are still worried about provisions in that bill that would levy certification requirements on cybersecurity professionals who work on critical infrastructure systems.

Meanwhile, others say a more coordinated approach among different parts of the government would be helpful.

“There are several aspects of current legislation that are being worked on in various places, and whether it’s within agencies or interagency processes or the Office of Management and Budget or the Hill, we’d like to see that those at least get coalesced and coordinated a little better,” said Liesyl Franz, vice president of information security and global public policy at TechAmerica.

Hathaway said Congress or the executive branch could make the first move to increase collaboration on the topic.

“I do know that there’s some work being done in pockets, but it needs to really be done in a much more thoughtful strategy, especially because I think it’s difficult to get to legislation and get it though the system,” she said. “I think you’re going to have to start to really address what is needed now and work as a team to get that done.”

Lewis recalled that a year ago, Senate Majority Leader Harry Reid (D-Nev.) had discussed a consolidated bill, but the feeling then was that Congress needed more time to sort through the issues.

Observers don’t rule out the possibility of a bill becoming law this year, but many think it’s unlikely because other important items on the administration’s legislative agenda are lined up ahead of it. More to the point, computer security isn’t likely to drive voters one way or another in an election year, Purdue’s Spafford said. Lawmakers face more pressing political issues.

“This may be a building year,” Nojeim agreed.

TechAmerica’s Franz said cybersecurity traditionally hasn’t been a partisan issue, so she said she hopes that if something doesn’t pass this session, the work that has been accomplished would carry over into the next Congress. One positive sign for something happening in the next session sooner rather than later is that Rockefeller, Snowe, Lieberman and Collins don’t have to run for re-election this fall.

“I think they’re serious about trying to get something passed," Lewis said. "Whether they’ll be able to do it is another matter. The problem isn’t going to go away, so if they don’t do it this year, they’ll just have to do it next year.”

 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.