So amidst all of the gridlock in Congress and the presidential campaigning, there is actually a pretty good chance that Congress might get something significant and forward-looking done this year. The issue is cybersecurity, which is already covered in more than 30 congressional statutes--or so says CRS in this enormously helpful report. Cybersecurity policy has been debated, and then promptly put on the back burner, for more than a decade, and there appears to be bipartisan, as well as executive-legislative branch agreement that the time has come to revise the framework.
Why does the landscape seem so much different this time around? According to Tim Starks over at CQ Weekly (caution: paywall), it's because of Senate Majority Leader Harry Reid. He recognizes the importance of the issue, and the urgency of taking steps forward, reports Starks. According to a leadership aide interviewed for Starks' article, "He's been convinced by experts in the Pentagon and intelligence community that cyber is the single biggest threat in the United States that remains more or less unaddressed."
This post attempts to roundup the various proposals and give the lay of the land in anticipation of Congressional deliberation on this topic. We'll be tracking the legislation and welcoming some guest posts by experts on cybersecurity issues.
According to the experts at CRS, the major areas the legislation is likely to cover are:
- The role of government, including either the establishment of a new office within the White House or providing significant new authority to DHS--or both;
- Reforming the Federal Information Security Management Act of 2002 (FISMA);
- Protecting infrastructure;
- Coordinating across sectors and sharing information;
- Handling data breaches;
- Prosecuting cybercrimes;
- Dealing with privacy with regards to electronic commerce;
- International efforts;
- Research and development; and
- The cybersecurity workforce.
So, what are the competing proposals?
The White House presented its proposal for cybersecurity legislation back in May 2011. It focused on three areas needing protection: the American public, critical infrastructure, and federal government networks. It aims, as the proposal puts it, to:
- Establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions.
- Defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies.
- Strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.
House Speaker John Boehner has also signified his commitment to passing a bill in this Congress, establishing a Task Force in the House led by Congressman Mac Thornberry. The Task Force, made up of twelve Republican members spanning committees with jurisdiction over cybersecurity policy, released its recommendations this past October. The recommendations centered around both short-term fixes and a longer-term approach to updating our laws, and were organized into four issues: critical infrastructure and incentives, information sharing and public-private partnerships (notably, the Rodgers-Rupplesberger proposal), updating current cybersecurity laws, and legal authorities. The House would prefer to break the legislation into smaller bills, and focus on developing incentives for businesses to opt-in, rather than forcing new regulations on them. House committees have made progress on various provisions of what could ultimately become a single bill.
Tim Starks wrote another must-read piece in CQ Weekly discussing committee action.
Over in the Senate, there are two key proposals currently under consideration: S. 413, the Lieberman-Collins collaboration as committee leaders of the Homeland Security and Governmental Affairs Committee, and the collaboration between Senators Jay Rockefeller and Olympia Snowe, who are the committee leaders of the Commerce Committee. Their bill was introduced during the 111th Congress. The ultimate bill will likely be a combination between these two, and reports indicate that the Senate's effort is a bipartisan one. Certain components of a comprehensive bill have already been approved by committees with jurisdiction, including bills increasing penalties for hackers, instructing companies on how to deal with data breaches, and increasing protection for the nation's electricity grid against cyberattacks. Another notable bill is the Gillebrand-Hatch International Cybercrime Reporting and Cooperation Act, S. 1469.
You'll find a handy table in this CRS report comparing Lieberman-Collins, the House Task Force Report and the White House Proposal.
We plan to cover the Senate's consideration of cybersecurity legislation if and when a proposal is brought to the floor (potentially this week?). Stay tuned.