Cybersecurity Bill May Have More ‘Granular’ Rules Than Thought, CDT Says

Congress probably won’t wait for the White House to name a cybersecurity czar before moving forward on legislation, and the Senate looks poised to act quickly, said CDT President Leslie Harris. Besides Rockefeller’s bill, Senate Homeland Security Chairman Joe Lieberman, I-Conn., and Ranking Member Susan Collins, R-Maine, are working on legislation, but it’s not known if they're drafting a single measure together or competing bills, Harris said. House work on cybersecurity is likely to remain sector-specific, probably targeted toward the power grid, said Senior Counsel Greg Nojeim, though Chief Operating Officer Ari Schwartz said the House Oversight Committee was still drafting a bill with related elements in a revamp of the Federal Information Security Management Act.

The Rockefeller bill’s language is now more vague on the president’s authority in an emergency, following a second draft that seemed to answer some criticisms but inflamed others (WID Aug 24 p1), Nojeim said. It would help if President Barack Obama stated his view of the extent of his authority, so Congress could debate that and factor it into legislation, he said. Yet any specific presidential authority over private networks provided in a bill must be very carefully tailored, since courts wouldn’t have much discretion to interpret such language, Harris said.

Revised provisions in the new draft that would give some authority over private network and software security to the National Institute of Standards and Technology (NIST) are a cause for concern as well, Nojeim said. Though the first draft provided “heavy handed” regulation in the form of NIST authority over standards for private companies, the second tasks NIST with developing “best practices” instead, he said. But it also makes their implementation by companies “auditable” by NIST, which could result in rules that are “much more granular than the [bill] language would suggest.”

NIST has done well to expand security guidelines across the entire government through publications such as 800-53, and “the private sector learns from that,” said Schwartz, who has reviewed such guidelines as a member of the congressionally chartered Information Security and Privacy Advisory Board. But there are valid concerns about how that process “scales out” to companies. Though NIST is underway with a reorganization of its computer security division, which could impact its role in the private sector, people generally trust Obama’s nominee for NIST director, Patrick Gallagher (WID Sept 14 p3), Schwartz said. CDT also isn’t concerned about the cybercrime background of the official who replaced White House cybersecurity review chief Melissa Hathaway in August. Chris Painter, a longtime Justice Department computer-crime prosecutor, is a “thoughtful civil servant,” Schwartz said.

The FCC shouldn’t have anything more than “narrowly tailored” authority given by Congress to regulate network openness, Senior Policy Counsel David Sohn said. A bill to give sweeping authority to the agency to regulate neutrality, by Rep. Ed Markey, D-Mass., doesn’t necessarily show the agency lacked some inherent authority when it punished Comcast, but those issues will be resolved in court, he said. The ruling could be “more procedural,” requiring the FCC to start over again with reviewing Comcast’s treatment of P2P traffic rather than denying the agency’s role in some enforcement, Sohn said.

Though CDT worries about a bill that would “open the floodgates” to wider government regulation of the Internet, a confirmed role for the FCC in neutrality probably wouldn’t be understood as a “broader authority” for agencies in general to regulate networks, Harris said. Some congressional grant of authority can be preferable to the years-long rulemakings that agencies otherwise would have to undertake, as the FTC would have done without the CAN-SPAM law, Schwartz said.

The “wild card” for the fall is an online privacy bill supposed to be on the way from House Communications Subcommittee Chairman Rick Boucher, D-Va., which may be based in part on the advertising industry’s self-regulatory principles (WID July 6 p1), Harris said: “The [Commerce] committee isn’t going to be engaged in health care forever.” The committee also is working to narrow the scope of another bill that worried CDT, the Informed P2P User Act, initially opposed by several Internet and software companies as impacting routine Internet practices besides file-sharing (WID May 6 p2), Sohn said. With many cosponsors, it’s likely the bill will get substantial committee attention this fall, he said.

A slight divergence between data-breach notification regulations issued by the FTC and Department of Health and Human Services is more serious than it sounds, said Deven McGraw, director of the center’s health privacy project. Both take effect Sept. 24 but the agencies have said the new rules won’t be enforced for six months, providing a grace period for compliance -- and for CDT to lobby for the revision of HHS rules, she said. HHS performed a “truncated” rulemaking to arrive at its rules implementing the HITECH Act, creating a standard for “significant risk of harm” that varies depending on the type of data accessed, McGraw said. That’s in contrast to the FTC rules, which don’t require notification if entities are “reasonably certain” data weren’t accessed -- regardless of the type of data. The HHS standard is “wide open” for interpretation, reducing the effectiveness of threatened enforcement, she said.