A slew of new bills affecting cyber security policies are making their way through Congress. Stephen Lawton takes a look.
In a display of bipartisanship, party leaders said they would work with the White House to pass cyber security legislation during the 2012 presidential election year. While a number of bills are stalled in Congress, cyber security legislation seems to be garnering widespread support.
Although measures around data security often meet their demise on Capitol Hill due to disputes over wording or because other issues take priority, two bills – one in the House and the other in the Senate – appear to have a decent chance of passage.The Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523), introduced by Rep. Mike Rogers, R-Mich., recently passed through the House Intelligence Committee on a 17-1 vote and is now headed to the House floor.
Meanwhile, two Senate bills also are working their way through the upper house, and have bipartisan support. One of the bills, the Cyber Security and Internet Freedom Act of 2011 (S.413), is similar in nature to the recommendations of the House Republican Cyber Security Task Force, Senate Leader Harry Reid, D-Nev., says.
Those recommendations have received bipartisan support, not only from Reid, but also Rep. Jim Langevin, D-R.I., who tried to get cyber security language through in 2010 as part of the National Defense Authorization Bill. The Senate bill is co-sponsored by Sen. Joseph Lieberman, I-Conn., Tom Carper, D-Del., and Susan Collins, R-Maine, and establishes an Office of Cyber Space Policy within the Department of Homeland Security (DHS), as well as an infrastructure for fighting threats.
Larry Clinton, CEO of the Internet Security Alliance, says he is encouraged that legislators recognize that cyber security is an economic issue, not just a technical concern.Clinton, who supports the House bill, recommends that legislation be passed that includes incentives for a company to employ improved security practices. “It's in their economic self interest to be more profitable,” he says.
He likens the potential fiscal perks for strong security to that of the early 20th century, when government regulations made it economically beneficial for the electric and telephone companies to expand their services for universal access by guaranteeing a rate of return for the investments. This approach could work for cyber security as well, he says.However, not all are pleased by the proposed legislation. “The Cyber Intelligence Sharing and Protection Act would create a cyber security exception to all privacy laws and allow companies to share the private and personal data they hold on their American customers with the government for cyber security purposes,” a statement from the American Civil Liberties Union (ACLU) says. The bill, the group points out, would not limit the companies to sharing only technical, non-personal data.
The Electronic Frontier Foundation (EFF) also voiced concern about the use of data collected by the federal government. “[H.R. 3523] doesn't limit what the federal government can do with the data or private communications that ISPs and others hand over, except to say that it can't be used for regulatory purposes – apparently it can be used for law enforcement and intelligence targeting purposes.”A competing bill, backed by Rep. Dan Lungren, R-Calif., and still in draft form, appears to appease some House Democrats as it would create a nonprofit entity called the National Information Sharing Organization, which would include members from federal agencies, corporations and civil liberties groups. The bill has received a more favorable response from some because it doesn't assign a specific role for DHS.
Still, as organizations such as the ACLU and EFF express concern about the swapping of data among companies and the government, a presidential directive authorizing such sharing has been in place since 2003. President George W. Bush signed Homeland Security Presidential Directive-7, a direct response to the events of Sept. 11, 2001, as a way to gather information about potential future attacks. The act directs the secretary of the DHS “to maintain an organization to serve as a focal point for the security of cyber space. The organization will facilitate interaction and collaboration between and among federal departments and agencies, state and local governments, the private sector, academia and international organizations.”Specifically, the directive says federal agencies “…will collaborate with appropriate private sector entities and continue to encourage the development of information sharing and analysis mechanisms…to facilitate sharing of information about physical and cyber threats, vulnerabilities, incidents, potential protective measures, and best practices.”
While the directive does not address the issue of privacy, companies in various vertical industries have created groups to share anonymized data about breaches so that they can better defend against them in the future. These groups, called information sharing and analysis centers (ISAC), were developed as a result of the presidential directive.The current crop of proposed legislation goes beyond this presidential directive, however, and could codify into law changes to existing privacy laws.
ISA's Clinton says the government is more accustomed to defending against an attack from a single entity. Cyber security is more akin to a terror attack where the enemy is harder to identify and might not be a single entity. Today's regulations favor the attackers, he says. Attacks are inexpensive to conduct and quite profitable. It is easy to obtain malware scripts. The tools for the attacks can be used multiple times. “The business model is great,” he says.By changing the economic playing field through legislation and financial incentives for industry, Clinton adds, the government can make it more profitable to companies to build inherently more secure networks than having them count in the expense of remediating a problem as a cost of doing business.
“If you make it about corporate responsibility, it's unsustainable,” he says. “You need to alter the economics so it's in [the enterprises'] economic self-interest to be more secure.”