Congressional Cybersecurity Plan Lacks Focus, Private Sector Says

In September Senate Majority Leader Harry Reid, D-Nev., will resume his effort to incorporate the strongest provisions of the Obama administration’s legislative proposal and elements of several pending cybersecurity bills into a single piece of legislation, staffers said. Staff members from at least five Senate committees are currently negotiating the terms of Reid’s placeholder bill, S-21, the Cyber Security and American Cyber Competitiveness Act, said a spokeswoman from the Senate Homeland Security and Government Affairs Committee (HSGAC). Staffers said that Reid hopes to bring the merged cybersecurity bill to the floor sometime “this fall.”

But as cyberthreats increase and grow more powerful, private sector entities say they are skeptical that comprehensive cybersecurity legislation will reach the finish line before the next big attack comes. “I'm worried it has taken so long and people have approached this at such a leisurely pace that we could run out of time,” said Stewart Baker, a partner at Steptoe & Johnson and former assistant secretary for policy at the Department of Homeland Security. “This is Washington. It is easier to stop a bill than to get one through and the closer we get to election season the easier it gets,” said Baker.

"A lot of people are saying we can’t get our hands around what the government is trying to do here,” said Larry Clinton, president and CEO of the Internet Security Alliance. These bills are going to be large and complicated, said Clinton, and will be “really hard to digest in a short amount of time. I don’t think there is nearly enough time.”

One bill that will likely be incorporated into Reid’s legislation is the Cybersecurity and Internet Freedom Act, S-413, which was introduced by Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine. A spokesman for Collins said that the working groups are “continuing to meet over the recess” but would not provide any specific details on the negotiations. The committees involved with Lieberman’s bill are HSGAC, Commerce, Intelligence, Foreign Relations and Judiciary.

Staffers said that Reid will try to incorporate elements of a forthcoming cybersecurity bill proposed by Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., and Sen. Olympia Snowe, R-Maine, which failed to gain traction in prior years. Another bill which could be included in Reid’s legislation will be Sen. Ben Cardin’s, D-Md., Cybersecurity and Internet Safety Standards Act, S-372. Without naming specific details, Cardin’s spokeswoman told us that “certain provisions” of the bill will be merged with a larger cybersecurity bill “with input from the White House proposal.”

The Senate Judiciary Committee will be the first to address the myriad cybersecurity proposals after the August recess when it convenes for a hearing on Sept. 7. The committee will hear testimony from representatives of the Justice Department and the Secret Service Criminal Investigative Division.

The House has been more aggressive in developing cybersecurity legislation but their approach has also failed to provide a comprehensive bill. In June the House leadership established a cybersecurity task force comprised of Reps. Mac Thornberry, R-Texas, Robert Aderholt, R-Ala., Jason Chaffetz, R-Utah, Mike Coffman, R-Colo., Bob Goodlatte, R-Va., Robert Hurt, R-Va., Bob Latta, R-Ohio, Dan Lungren, R-Calif., and Mike McCaul, R-Texas.

McCaul’s Cybersecurity Enhancement Act, HR-2096, gained traction in July when the House Science Committee unanimously approved it. The bill aims to increase U.S. cybersecurity research and development by providing research grants and increasing federal IT training to bolster the government’s cybersecurity workforce. McCaul’s spokesman said he expects the legislation to reach the House floor by October. “The bill has bipartisan support and Rep. McCaul is not expecting any serious roadblocks to its passage,” he said.

Cosponsors of the McCaul bill seemed optimistic about its pending vote on the House floor. “Our expectation is that the bill will reach the House floor this fall,” said a spokesman for Rep. Dan Lipinski, D-Ill. “The bill addresses a number of the Administration’s cybersecurity priorities, including raising awareness of cybersecurity issues, strengthening international partnerships, enhancing public-private partnerships, developing an R&D framework, and building an identity management strategy.” A spokesman for Rep. Aaron Schock, R-Ill., said “there is consensus among both parties that this [bill] is a needed step in cybersecurity.”

Another pending House bill is Rep. Jim Langevin’s, D-R.I., Executive Cyberspace Coordination Act, which contains a provision that would create a National Office for Cyberspace (NOC). Rep. Rob Andrews, D-N.J., is a sponsor of the bill and said that the provision has divided members. “There is some reluctance amongst the House Republicans in creating a central [cybersecurity] office in the executive branch. I don’t agree with them, but that is the principal disagreement.”

The Obama administration aimed to rally congressional leaders when it unveiled its long-awaited cybersecurity legislative proposal in May. “The President introduced his legislative language and that is helping to crystallize the debate moving forward in a big way,” said Tom Gann, McAfee’s vice president of government relations. The proposal suggested that the Department of Homeland Security should take the lead in any response to a cyberattack on civilian networks. It also sought legislative changes to the Federal Information Security Management Act (FISMA), enhancements to intrusion prevention systems, increased federal cybersecurity recruitment efforts and an overall migration to secure, cloud-based federal data storage.

But the administration’s proposal is not perfect, industry and privacy groups said, and they are wary of some of the proposal’s weakest elements. Industry members were particularly critical of the administration’s proposal for a sort of “name and shame” scenario where the government publishes a list of hacked companies that failed to meet compliance standards, rather than pushing industry participation with fines and civil penalties. “The administration suggests that entities who are subjected to these attacks will be named and shamed,” said Clinton. “This is precisely the wrong incentive.”

The Center for Democracy and Technology (CDT) was troubled by the breadth of the White House’s information sharing proposals, said Greg Nojeim, CDT’s senior counsel. “It would allow any company to share a vast amount of personal information with the Department of Homeland Security for cybersecurity purposes,” said Nojeim. “That seems overly broad and dangerous to privacy.” Nojeim added that the government should avoid setting specific cybersecurity mandates which could potentially hamper the private sector’s efforts. “Our view is that the operators and owners of networks know them best and are best able to secure them.” Finally, the persistent issue of an executive Internet “kill switch” remains a great concern, said Nojeim. “Any ability to shut down traffic that includes communications concerns us.”