Information technology providers and politicians on both sides of the aisle are applauding the Obama administration for wading into the complex issue of cybersecurity. The administration issued its package of Internet security legislative proposals last week, spurring hopes that the U.S. Congress would approve a comprehensive national program this year.
However, the anticipated momentum for Congressional action related to the administration’s proposals may be elusive. Instead, there may be an all-too-familiar logjam, as both substantive and political issues slow down the legislative process. At the moment, the administration is generally getting an “A for effort” from all sides — but on program specifics, it’s earning a lesser grade from some politicians, observers and business groups.
The proposed legislation “is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses and government,” said Howard Schmidt, the administration’s cybersecurity coordinator.
Aims at Four Targets
Reflecting processes similar those employed in the administration’s healthcare program, the cybersecurity package covers the full spectrum of information technology issues, rather than addressing different aspects separately and incrementally. However, the sheer scope of the cybersecurity issue may be such a challenge that completing a program will take considerable time.
The administration package covers four elements:
- Commercial transactions: The proposal addresses identity theft, including appropriate procedures to notify consumers of data breach events that compromise personal information. The program standardizes what the administration calls a “patchwork” of 47 state laws, and clarifies federal laws and penalties governing computer crimes.
- Critical infrastructure: The plan attempts to reduce legal barriers that inhibit private industry and state and local governments from seeking federal assistance, such as technical analysis by the Department of Homeland Security (DHS), when suspected intrusions related to power, water, finance, transport and other vital functions occur. The plan requires DHS to closely monitor the implementation of enhanced cybersecurity measures by businesses.
- Federal government protection: The administration proposes significant improvements to existing measures, including solidifying the central role of the DHS in protecting federal civilian agencies and updating the Federal Information Security Management Act (FISMA). The plan extends protections for Internet Service Providers to the federal government, enhances privacy and civil liberties protections, and bolsters security for data management functions, especially those that will be migrated to cloud platforms.
- Privacy: The proposal enhances current privacy and civil liberties protections regarding personal information flowing to federal agencies, broadens the role of the U.S. Attorney general in privacy matters, and provides protocols for granting immunity to the private sector and state and local governments for compliance with security standards.
Private Sector Role Debated
Since President Obama initiated a national cybersecurity policy in 2009, the administration has been emphasizing a significant role for business and the need to avoid the imposition of burdensome compliance mechanisms on the private sector.
The administration is working from the premise that it doesn’t have all the answers. However, as the details of the its plan have emerged, the issue of the impact on the private sector has come to the fore.
“Overall, the proposals are disappointing compared with what the president said in his 2009 policy statement,” Larry Clinton, president of the Internet Security Alliance, told the E-Commerce Times.
While he endorsed the administration’s effort to reach out to business in developing a protection framework, Clinton was still troubled about some of the specific legislative language. “When you look at some sections, it appears to give DHS some broad authorities here that concern us.”
One section, for example, requires that private companies “certify” to regulatory agencies such as the Securities and Exchange Commission (SEC) or directly to DHS that they have sufficiently implemented cybersecurity measures. The proposal prohibits DHS from issuing any “shut down” orders to private companies that fall short of federal objectives, but it reserves for DHS the power to “take such other action as may be appropriate.”
“Ironically, the President himself was far wiser on this issue when he published the 2009 Cyber Space Policy Review, which in fact called for more incentives, including procurement and tax and liability policies. I don’t see any of that in the new proposal,” Clinton said.
“The balance between government oversight and private sector initiative and innovation is always hard to get right,” Mark MacCarthy, vice president for public policy at the Software & Information Industry Association (SIIA), told the E-Commerce Times.
“I think they got the part right about working with the private sector to set security goals and to take into account the international dimension of the issue. I think that with a number of areas involving outside audits, certification to the SEC, and residual government authority to rework industry frameworks, there might need to be some further conversations,” MacCarthy said.
The critical-infrastructure aspect of the package appears to be the one that is most challenging to address. Here again, the Obama proposal may have some merit, but it clearly is less than satisfactory.
“The difference between critical cyberinfrastructure and other computer systems and networks is a difference in the degree of government oversight,” MacCarthy pointed out. “It is important to make sure the dividing line is drawn in consultation with industry and based upon clear, transparent, predictable criteria. We are still reviewing the proposal to see how well it meets this standard, and expect to work closely with the administration and the Congress as it moves forward.”
Misses the Mark
While some business groups are examining the issue of a balanced approach between the mix of direct regulation and the use of incentives, the Obama proposal falls short on both counts, said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University.
“The administration’s ‘hands-off’ approach to cybersecurity thus far hasn’t worked. Without appropriate incentives, industry won’t invest sufficiently in good security,” he maintained.
There’s a broad range of options, suggested Cate.
“At one end might be special tax credits for investing in information security and research, direct funding for research, safe harbors to immunize companies that met certain industry standards from class-action and other lawsuits, and antitrust exemptions for developing collaborative programs,” he told the E-Commerce Times.
“At the other end is direct regulation, federal enforcement of industry standards, more money for enforcement, and expanding the role of the Federal Trade Commission,” said Cate.
There’s some merit in appropriate regulation, in his view. “I suspect that some of the business dread of regulation is misplaced, and some of it ignores the many different forms of incentives that the administration might seek to create.”
The outlook for Congressional approval of a major cybersecurity package is cloudy. On the optimistic side, the Senate is pretty supportive of the administration, noted MacCarthy. Sen. Joe Lieberman, I-Conn., and Sen. Susan Collins, R-Maine, have endorsed the Obama approach.
However, enactment by the House of Representatives is less certain.
Although his group is pressing for passage — even going so far as to visit lawmakers on Capitol Hill — Clinton noted that the substance of the legislation is the priority.
“This is a very complex issue, especially with increasingly sophisticated capabilities by those threatening security,” he observed. “We’d rather get it right than get it quick.”