White House, Congress Renew Cybersecurity Push
The separation of issues that are still contentious from those where consensus is emerging bodes well for the enactment of legislation that addresses at least some important aspects of cybersecurity protection. "The lack of consensus on these issues should not hold the other critical reforms hostage in moving through the Congress and into enactment," said Larry Clinton, president of the Internet Security Alliance.
In a rare showing of bipartisanship, members of Congress and the White House are trying to breathe new life into the effort to enact national cybersecurity legislation. In a recent flurry of activity, mainly between the Obama administration and the Senate, the issue got back on the legislative track.
In addition to putting the legislation at the top of the agenda, lawmakers signaled that agreement was beginning to emerge on substantive components of the complex initiative. The first public hint that some activity was afoot was a brief acknowledgement in late October that members of the White House staff had met on Capitol Hill with several senators of both parties to discuss approaches to cybersecurity legislation.
"Some good news: just last week, we had a very encouraging meeting with a bipartisan group of Senators that ended with agreement to work together to enact cyber security legislation as soon as possible," said Howard Schmidt, cybersecurity coordinator and special assistant to the president, in an Oct. 28 blog post.
Senate Leader Acts
Sen. Harry Reid, D-Nev., president of the Senate, responded quickly.
"Given the magnitude of the threat, and the gaps in the ability of the government to respond, we cannot afford to delay action on this critical legislation," he said in a letter to Senate Minority Leader Mitch McConnell, R-Ky.
Reid said he would bring a cybersecurity bill to the Senate floor during the first work session of 2012. The administration offered its proposals last May, and members of Congress have also issued their own bills. The House Republican Cyber Security Task Force issued its recommendations Oct. 5.
Importantly, Reid noted that the Republican Task Force approach was "fully consistent with our efforts" -- a comment that was seen as an overture for working on a bipartisan basis.
"I think the members of Congress are starting to look at areas where there is some consensus on cybersecurity issues," Greg Nojeim, senior counsel at the Center for Democracy and Technology, told CRM Buyer.
Four Republican Senators reacted immediately with their own letter to President Obama. They offered a plan for early adoption of cybersecurity legislation that deals with issues for which there is growing consensus. These include measures for information sharing of cyberthreats and security issues between the government and industry; modernization of the Federal Information Security Management Act (FISMA), which governs IT security within federal agencies; increasing criminal penalties for cybersecurity fraud and abuse, including use of the Racketeering Influenced and Corrupt Organizations Act (RICO) for cybercrime; and creating a bigger role for several government agencies on cybersecurity research.
Consensus Emerging on Proposals
Noting that the legislative year is drawing to a close and that any immediate action would require both House and Senate approval, the four senators told President Obama that "we hope you agree that we should focus in the near term on measures that will both advance cyber security and most likely garner broad bi-partisan support."
The Republican Senate group includes Kay Bailey Hutchison, Texas; Lisa Murkowski, Alaska; Saxby Chambliss, Ga.; and Charles Grassley, Iowa.
Prospects for enactment of any legislation this year were likely precluded by Sen. Reid's proposal for focusing on the issue early next year. But the delineation of some issues that could gain consensus was significant.
"The House members clearly indicated that they were interested in moving several critical portions of the cybersecurity package, but they are not interested in establishing a large, new regulatory regime at the Department of Homeland Security (DHS) for this purpose. This dovetails nicely with the letter from the four ranking Republicans, which also indicates their interest in moving several critical pieces of cybersecurity legislation," Larry Clinton, president of the Internet Security Alliance, told CRM Buyer.
"Both the House Report, and the Senate letter to the president suggest that several other important issues -- including how to manage cybersecurity supply chains, the role of DHS regulatory authority, and the method for establishing a federal pre-emption to state data breach notification laws -- have not reached the point of consensus that would be required to get through the current Congress," he said.
The differences in views on these components of federal cybersecurity policy:
Critical Infrastructure: While the administration has presented its position as a flexible approach regarding regulation of the cybersecurity aspects of operating "critical" facilities such as water, power and transportation, businesses aren't quite convinced; they prefer the use of incentives to spur improvements in protection. The Senate letter to the administration warned that the creation of a new regulatory regime would change a cooperative government-business relationship to an adversarial situation.Reid's move to put cybersecurity at the top of the Senate agenda received the support of Sens. Joseph Lieberman, I-Conn.; Susan Collins, R-Maine; and Tom Carper, D-Del. All three are joint sponsors of the pending "Cybersecurity and Internet Freedom Act."
Supply Chain: Vendors worry that a rigid approach toward cybersecurity protection requirements in the procurement of federal information technology could stymie innovation.
Data Breach Notification: There are differences in the approach to notifying consumers of any breach of personal information in terms of defining the information involved, as well as the role of the states and the national government for enforcement of any requirements, and the burden of penalties for failure to meet notification standards.
However, the separation of issues that are still contentious from those where consensus is emerging bodes well for the enactment of legislation that addresses at least some important aspects of cybersecurity protection. The approach reflected in the proposals from the House Task Force, as well as in the Senate letter to the administration, "indicate that the lack of consensus on these issues should not hold the other critical reforms hostage in moving through the Congress and into enactment," Clinton said. "I think that this opens the door to getting critical cybersecurity measures enacted this coming year."