Cybersecurity

Cyber and the NDAA

By Paul Rosenzweig
Wednesday, November 27, 2013, 2:14 PM

Congress is in recess now (that's why it's so quiet here in Washington) and when they return the first order of business for the Senate is to take up the 2014 NDAA.   The bill, authorizing activities of the Department of Defense, is one of the few bills that routinely gets a full hearing in the Senate and has a high likelihood of being passed into law.  As a consequence, in recent years it has become something of a Christmas Tree.  [For those outside the Beltway, a Christmas Tree is an attractive "must pass" bill on which other members of Congress hang ornaments -- i.e. their own pet legislation.  That's why some tax bills often have environmental measures attached and its also why the NDAA will have an Obamacare fix this year.  :-0 -- just joking].

More seriously, the Christmas Tree effect is why, as The Hill reports, Senator Rockefeller is planning to offer his Cybersecurity Act of 2013 as an amendment to the NDAA.  The bills are not strictly related, but the NDAA is moving and Rockefeller's CSA bill is not ... unless it can hitch its wagon to a train that is leaving the station.

Rockefeller's bill, S. 1353, is not anything like last year's controversial, Lieberman-Collins bill.  Last year's bill had a large architecture for regulation, covered information sharing and was intended to be a comprehensive approach to cybersecurity.  This year's version is a much more modest affair.  Indeed it's anodyne nature is best indicated by the fact that Senator Thune, the Republican ranking member of the Commerce Committee is a co-sponsor and the bill passed out of that Committee unanimously.

S. 1353 does three small things.   I will leave to others a dissection of its provisions enhancing cyber education and cyber research and development.  Both of those strike me as "nice to haves" where Congress throws a little bit of money at the problem, orders the Executive to think about how to make things better and then washes its hands of the problem.

The third piece is quite similar -- S. 1353 codifies the existing NIST process for developing cybersecurity standards.   Since the President has already begun that process through an executive order, about the only benefit to this legislation is that it institutionalizes the process and insures that once the first assessment is complete NIST will begin the process all over again.  We are told that NIST will "on an ongoing basis, facilitate and support the development of a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure."

There is, of course, much to dispute about the nature of the NIST process.  I've written before about my fear that the voluntary standards will soon become non-voluntary mandates.  But the Senate bill adds little to that discussion except to make it a permanent part of the landscape.  I suppose even that decision is a bit of a cost to innovation, but compared to the standard development process itself, the institutionalization of the standard setting function seems a modest change.

In short, S. 1353 does very little of note.  Indeed, I am comfortable predicting that it will be added to the NDAA with nary a dissent.  And thereafter, Congress may well wash its hands of cybersecurity and mark the problem "sovled" -- which, come to think of it, might very well be the best possible result.