With the Democratic Party's conquest of both the U.S. House and Senate complete after November's mid-term election, information security leaders are predicting that a tech-friendly Congress will take on a national data breach notification act some time in the next two years, with other IT-related legislation remaining a possibility.
However, with wars in Afghanistan and Iraq raging, and promises to clean up Congressional ethics still fresh in the minds of voters — all while a Republican still sits in the White House — some experts are unsure how long it will take Democrats to get to information security, if they get there at all.
In the lead-up to the Democrats' big win last November, poll after poll cited voter appetite for change, encouraging the new Congress to deliver some impressive modifications immediately after being sworn in. Therefore, expect the new party in power to try to impress by holding votes on sure-winner bipartisan issues, says Chris Farrow, director of policy and compliance for Configuresoft.
"Without a doubt, I think the new Congress will be looking for a lot of quick fixes to get brownie points, things that they can put out there to make good press," he says. "I would look for them to make some quick wins, but I don't think it will have a huge impact, especially when in two years there is a general election. HIPAA [The Health Insurance Portability and Accountability Act] isn't going to change; GLBA [Gramm-Leach-Bliley Act] isn't going to change. SOX [Sarbanes-Oxley Act of 2002] will probably get watered down."
The Democrats' congressional victories this past November only put them in control of one branch of government. With Republicans in control of the executive branch and the president's veto pen, along with a slim independent-aided Democratic majority in the Senate, citizens should expect gridlock rather than the consensus enjoyed by the GOP during its hold on both the House and Senate, says Jody Westby, CEO of Global Cyber Risk LLC.
"The public is expecting the Democrats to change things, but the Dems don't control the Bush administration or its policy. I think we're in for a year or two of stalemate or some very tough balancing back and forth in trying to push things through," she says. "I just don't see cybersecurity as overtaking some of our foreign policy and our defense issues."
With the next presidential election less than two years away, newly empowered Democrats will go out of their way to prove they're tough on defense and security issues, and not a hindrance to business interests, in an effort to win over red state voters that eluded Sen. John Kerry in 2004. With an eye on the White House, Democrats will frame issues relating to information security carefully, so as not to alienate commerce-minded voters, says Alex Bender, vice president of marketing for Archer Technologies.
"Democrats...are not going to pass legislation just to pass it. They're going to do it in a very smart way," he says.
Also in the press are seemingly omnipresent stories on data breaches, whether at government contractors, such as Boeing, or at federal agencies themselves. Since the infamous Department of Veterans Affairs incident, the Navy and the Federal Trade Commission are all recovering from breaches suffered in 2006. Farrow wagers that Congress will pass a national data breach notification law, despite the fact that most states already have their own consumer-data-protection laws.
"Thirty-three of 50 states already have their own privacy disclosure laws, so that might make for a few good headlines, but I don't know if it will help a lot," he says. "Of course, if you make it a federal law, you can have some stiffer penalties. That certainly could happen. There's some huge potential for this still."
John Carlson, senior director of the BITS Financial Services Roundtable, says a breach notification law will probably be the first information security hurdle that Congress will attempt to leap — if it can get past jurisdictional issues that could hinder it.
"The issues are really not going to go away, and I'm assuming that Congress will step in at some point and pass legislation. The one that would be first out of the box would be data breach notification, but they have to deal with different issues with different communities," he says. "But if they can get past these issues, we could see one national data breach notification law."
Liz Gasster, executive director of the Cyber Security Industry Alliance (CSIA), says a drumbeat of data breach stories in the media have wet the public's thirst for a federal notification law, and public demand for such a law is only growing.
"I definitely think we will see data security legislation this year — sooner rather than later. I think now that we've finally hit the 100 million number [of lost records containing personal information, according to the Privacy Rights Clearinghouse], if there wasn't a huge mandate for legislation, there certainly is now," she says. "And I think that Congress will deal with this urgently. [Rep.] Barney Frank [chairman of the House Committee on Financial Services] has said repeatedly that he wants to do something about it."
Paul Kurtz, former CSIA chief and now partner and COO of Good Harbor Consulting, agrees that Congress will catch up to the public's concerns on data security, now that one of every three Americans is at risk for lost data.
"It looks as though we've now passed a very important milestone," he says. "And Congress has to square up to this issue. When you have so many people's information at risk, I don't see how they can sidestep the issue anymore."
Although demand for a federal data breach notification law may be on the rise, Kurtz warns that it's not a sure thing. Ultimately, the fact that many states have taken the initiative and created notification acts of their own could help do in a federal version, he says.
"There are a couple of issues out there that could cause problems. There are splintering issues — states' rights, the ability of states to enforce the law — and those could ultimately be a problem to the passage of any bill on the Hill," he says. "But I think it will work out okay."
Experts predict that SOX will be re-examined in the next two years because of complaints from the private sector about the cost of implementing its regulations. Farrow says he expects changes to SOX to happen during the 110th Congress — the first since the retirement of authors Sen. Paul Sarbanes, D-Md. and Rep. Michael Oxley, R-Ohio.
But with the Enron and WorldCom scandals still fresh in the minds of some voters, Congress may decide it has better things to focus on than reforming the popular, bipartisan law. Instead, any changes to SOX may occur through the regulatory agencies, says Carlson.
"[The Securities and Exchange Commission] has the lead on that, and the [Public Company Accounting Oversight Board] has some role as well."
If Congress takes a good look at the U.S. online economy, it would also improve funding for research and development of new technology to protect networks, says Westby. Developing technologies to protect networks in the U.S. should rank higher on Congressional priority lists, she adds.
"For the last three years, we've spent about 20 million dollars per year on research and development. That number is shameful and a gross abdication of our role as a leader in information technology and in our responsibility as creator of the internet," she says. "The Department of Defense spending, out of DARPA [Defense Advanced Research Projects Agency], is just not important to everyone except on those special networks. Our economic security is clearly dependent on private networks."
The information security community has one major advantage in lobbying Congress to pass legislation: everyone generally believe information security legislation to be in the public interest, according to Carlson.
"I think this really is bipartisan — it's about protecting information, and security is important to both political parties," he says.
HELP FROM THE FEDS:
What can government do?
The Cyber Security Industry Alliance has offered the following recommendations to the Department of Homeland Security:
1 Increase leadership: The DHS and the White House should consolidate multiple presidential-level bodies with overlapping responsibilities.
2 Sponsor prevention and mitigation programs: The DHS should partner with the Department of Commerce to sponsor research into viable uses of private sector insurance coverage for cyberattacks and support increased research and development.
3 Establish an early warning system: There is no federally supported, formal system to indicate if a cyberattack is underway and alert stakeholders. One should be created.
4 Institute command and control procedures: DHS should detail how it will respond to and recover from a massive failure of information technology systems due to natural disaster or cyberattack.
5 Articulate an emergency communications system: DHS should ensure that a resilient emergency system is in place in the event of a major cyber disruption.
- Source: The Cyber Security Industry Alliance