Lawmakers Spar Over Cybersecurity Legislation

The Congressional debate over the U.S. budget has been in the limelight for months, but other critical issues are proving difficult to resolve as well. A case in point is the goal of lawmakers to develop a comprehensive national cybersecurity policy. There are many conflicting approaches to the issue, including a proposal offered by the Obama administration, a Senate bill, suggestions emanating from the House and trade group recommendations.

In late June, House Speaker John Boehner, R-Ohio, created a new Cyber Security Task Force led by Rep. Mac Thornberry, R-Texas. The group, composed entirely of Republicans, will examine the largest and most complex issues and make recommendations on cybersecurity authorities, information-sharing, public-private partnerships, critical infrastructure, and domestic legal frameworks. The panel also will evaluate the administration’s proposal. The task force will report back to GOP leaders in October.

“American jobs and national security depend upon our nation’s ability to innovate and dominate information technology fields,” said Boehner, noting that the effort is designed to “evaluate what the House can do to help secure America’s technology infrastructures.”

Creating a study group is the tried-and-true way politicians can appear to be working on a complex issue while essentially avoiding any action. However, in this case, the creation of the task force may produce a good result.

House Needs Unified Process

“The committee structure in the House isn’t as conducive to the development of comprehensive cybersecurity legislation as is the committee structure in the Senate,” said Gregory T. Nojeim, senior counsel at the Center for Democracy and Technology (CDT).

“For that reason, it is not surprising that the House leadership would establish a task force to address cybersecurity legislation, and I see it as a way to move the ball forward, and not as a step backwards. A mechanism had to be established to pull the different committees of jurisdiction together,” he told CRM Buyer.

“The House absolutely needs a group like this to process cybersecurity legislation because of the difficult jurisdictional issues that apply to bills under House rules,” Larry Clinton, president of the Internet Security Alliance, told CRM Buyer.

The task force “has the Speaker and leaders’ support and has already met twice,” Clinton noted. “This seems like progress to me.”

In addition to overcoming procedural hurdles, the task force approach could provide substantive improvements in the proposed legislation.

“I don’t know anyone who believes that the proposed Senate bills we have seen, nor the White House legislative proposal, would do anything to deal with the most serious threats, like APT, that are our major problem today. In fact, most of the current bills focus more on government reorganization, accounting, and long-term things like education,” Clinton said.

“These may be good things in their own right, but none of that helps against our most serious threatsWe are still hoping to work with the House, the Senate and the administration to craft a bill that will address the serious problems we face with cybersecurity on a sustainable way through a true partnership between industry and government,” he said.

APT refers to “advanced persistent threat” as a specific intrusion. In general, industry uses the term to describe a targeted attack aimed at stealing sensitive information. An APT may not cause any immediate harm but may work slowly to compromise security over a period of time.

But just as the House Task Force got under way, yet another significant proposal tumbled out to be added to the mix. A House Commerce subcommittee chaired by Rep. Mary Bono Mack, R-Calif., approved a bill that creates national standards dealing with data breaches and requirements for notifying consumers about cyberattacks and identity theft, such as those that recently occurred at Sony and Epsilon.

While that proposal crowds an already full legislative agenda, it too could have a positive result, in that it focuses on just one element of cybersecurity and therefore has a better chance for widespread backing.

“Many members of Congress see the strong bipartisan support for targeted data security and breach notification as a signal to get that piece done sooner. To that end, Rep. Bono Mack has done a very good job of taking a targeted approach, with the goal of enacting a national standard in the near future,” David LeDuc, senior director for public policy at the Software and Information Industry Association, told CRM Buyer.

“One concern about the House task force is that it’s not bipartisan,” noted CDT’s Nojeim. “If the legislation that it develops does not draw bipartisan support, it could become difficult to meld with the Senate effort, which is bipartisan.”

McCain Triggers Senate Conflict

While the Senate may have a simpler jurisdictional process for enacting cybersecurity legislation, that process is still deficient, according to Sen. John McCain, R-Ariz. McCain has renewed his call for the creation of a special temporary select committee in the Senate to coordinate various initiatives. These include a bill sponsored by Sens. Joseph Lieberman, I-Conn., Susan Collins, R-Maine, and Tom Carper, D-Del., that was adopted by the Senate Homeland Security and Governmental Affairs Committee.

McCain also noted that in addition to the Senate bill and the Obama proposal, three federal agencies — the Commerce, Defense and Energy Departments — recently issued strategies dealing with aspects of cybersecurity protection.

“With so many agencies and the White House moving forward with cybersecurity proposals, we must provide Congressional leadership on this pressing issue of national security,” McCain said.

However, Sens. Lieberman and Collins reacted quickly in voicing opposition to Sen. McCain’s idea in a July 13 letter to the Senate leadership.

“The Homeland Security and Governmental Affairs Committee’s examination of our nation’s vulnerability to cyber attack has been a truly bipartisan effort, and the bill that our committee unanimously marked up was the product of years of bipartisan work,” Lieberman and Collins say in their letter. “A select committee will necessarily require a restart of efforts that have been underway for years and would wash away the significant progress that the Senate has made.”

With the House committee not scheduled to report its findings until October and the Senate now involved in a debate over how to proceed on the issue, prospects for enactment of a comprehensive bill this year appear to dimming. For Internet users, providers and associated vendors, resolution of the different approaches on cybersecurity may be more elusive than before.