Cybersecurity: A Congressional PriorityNew Congress Likely to Reconsider Cyberthreat Info-Sharing Bill
The 114th Congress, with solid Republican majorities in both the House and Senate, convenes this week at a time of growing public awareness of security breaches, especially the cyber-attack last year on Sony Pictures Entertainment.
And that means the new Congress is likely to soon take up legislation to promote the sharing of cyberthreat information between business and the government in an effort to help foil breaches.
"It isn't becoming a political issue in the sense that it is partisan. It is, however, becoming political in the sense that the general public is becoming increasingly concerned with the security of the systems they depend on," says Paul Rosenzweig, a former Department of Homeland Security policymaker who serves as a senior adviser to The Chertoff Group, a risk consultancy. "That concern will drive the debate."
President Obama also is putting pressure on Congress to enact laws to make cyberspace safer, especially legislation to encourage the sharing of cyberthreat information. After the cyber-attack on Sony Pictures Entertainment, Obama used his year-end press conference on Dec. 19 to call on Congress to pass threat-sharing legislation.
"One of the things in the new year that I hope Congress is prepared to work with us on is strong cybersecurity laws that allow for information-sharing across private sector platforms, as well as the public sector, so that we are incorporating best practices and preventing these attacks from happening in the first place," he said.
Will Squabbling Continue?
In the past two Congresses, Obama and House lawmakers bickered over the wording of cyberthreat sharing legislation, with the White House twice threatening to veto legislation that passed the House of Representatives with bipartisan support. The Senate, controlled by Democrats until this week, never took up its version of the legislation.
The White House and Congress differed on how to ensure the protection of individuals' privacy as well as their civil liberties. In its veto threat, the administration said the legislation passed by the House last year failed to require businesses to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or private-sector entities. "Given some issues that the privacy community has raised, we need to take that into account as we ... work on the bill," a senior administration official said last year in discussing the legislation.
Other differences between the administration and Congress centered on how cyberthreat information is shared with intelligence agencies. Privacy groups worry that the National Security Agency and other intelligence organizations could misuse the data to threaten Americans' privacy and civil liberties.
The administration also contended that legislation in the last Congress extended liability protections too broadly. Businesses say they need the legislation to prevent lawsuits that could result from disclosing how they protected - or inadequately safeguarded - their digital assets. But the administration expressed concern that the bills before Congress could allow businesses to exploit those protections to thwart lawsuits that have nothing to with cybersecurity.
Compromise in the Air
Can the White House and Congress compromise? Several experts say they believe both sides are motivated to find a middle ground.
"It takes 60 votes in the Senate to move a bill," Rosenzweig says. "After Sony, I am skeptical that there are 41 votes to block information sharing legislation."
Dan Lohrmann, the former Michigan state chief information security officer who has long kept an eye on Washington cybersecurity developments, expects members of Congress to act on the issue this year. "They want to be shown as doing something constructive before something worse happens than the recent attacks on Sony," he says. "Cyber may offer the better hope [for compromise] as compared to immigration [reform] or debt reduction."
Lohrmann, now chief strategist and chief security officer at security awareness training firm Security Mentor, points out that many lawmakers - including Republican Sen. John McCain of Arizona and Democratic Rep. Jim Langevin of Rhode Island, co-chairman of the House cybersecurity caucus - have called on Congress to act quickly on cyberthreat information sharing legislation.
But to reach a compromise, the White House and Congress must first agree on a definition of privacy, says Gene Spafford, who as executive director of Purdue University's Center for Education and Research in Information Assurance and Security follows cybersecurity legislative developments.
"There is no broad policy on privacy, and there needs to be," Spafford says. "We need clear lines on privacy protection from companies giving up too much information, to government agencies collecting too much. Companies and agencies should be liable for poor practices and for over-sharing or exposure. The fair information privacy principles are a good start for defining reasonable limits to what is collected and shared."
Three Factors to Mull
To get a bill enacted, Spafford says, lawmakers need to address the three factors influencing the conversation around cyberthreat information sharing legislation: national security, privacy and undue burdening of business with new requirements. "Depending on who you talk to, the balance of these three is different," he says. "Without some better understanding of consequences and compromise, action will not be uniformly accepted."
Momentum is building to get Congress to act on enacting cyberthreat information sharing legislation. "Many organizations now are involved directly or indirectly with critical infrastructure protection," says Harry Raduege, director for cyber risk services at the business consultancy Deloitte & Touche, who co-chaired the Commission on Cybersecurity for the 44th Presidency. "Thus, pressure from numerous interested and critical sector supporters and organizations will begin immediately to apply pressure on the new 114th Congress."
But experts warn against expecting the adoption of a new cyberthreat information sharing law to have a substantial impact on data breaches. "Are we overhyping the information sharing legislation and giving the impression that this bill would solve, or even make a significant dent, in the cybersecurity problem?" asks Larry Clinton, president of the Internet Security Alliance, a trade group that backed the House legislation.
Clinton, for instance, says he doubts that a cyberthreat information sharing law would have helped to prevent the Sony breach. "Most of the benefit of information sharing would be to help entities [stop] second attacks that use similar methods," he says. "I haven't heard anyone in the government come forward and say they had information that would have helped Sony stop the attack. ... To think we are going to address this problem by passing one narrow bill, even a good one, is woefully mistaken."
The new Congress also is expected to take up legislation to nationalize data breach notification. Business leaders say they need one national statute because of the burden their companies face in complying with 47 different state laws. Many lawmakers and the Obama administration favor a national law, but the big challenge facing Congress is deciding on key provisions, such as what constitutes a breach worthy of notification and when should businesses notify individuals and law enforcement of a breach. As the multitude of state statutes show, there's no consensus on the provisions to be incorporated in a data breach notification law.