Surveillance Revelations Could Halt Progress on Cybersecurity Legislation

"It’s highly, highly unlikely any of that will be passed this year and maybe even next year,” said Steven Roosa, a Holland & Knight attorney who co-chairs its Data Privacy and Security Team. He said there will be no appetite for further empowering the NSA, predicting instead that bills limiting the agency’s power would be much more likely to move in Congress this year. Ross Schulman, public policy and regulatory counsel at the Computer and Communications Industry Association, said “any bill that involves information sharing between industry and government is going to have a hard time right now. Doubly so if the government agency in charge is the NSA."

Even the terms of the cybersecurity debate have changed, Roosa said. The debate over the Cyber Intelligence Sharing and Protection Act (CISPA) focused on allowing the government and private sector to request relevant information from one another, and “that’s not even a year ago, and with everything that came out, that debate now seems quaint,” he said. Mark Jaycox, policy analyst at the Electronic Frontier Foundation, said the most recent revelations about the NSA’s counterencryption efforts (WID Sept 9 p1) are the “best counterargument against a bill like CISPA,” since it seems as though the vulnerabilities CISPA aimed to protect against are already present in systems. Allan Friedman, director of the Center for Technology Innovation at Brookings Institution, said CISPA took a “fatal hit” in June with the first round of disclosures. Neither the administration nor the NSA want the attention that another CISPA debate could bring, he said.

Politicians on Capitol Hill seem to agree with the experts’ assessment. House Intelligence Committee Chairman Mike Rogers, R-Mich., and ranking member Dutch Ruppersberger, D-Md., CISPA’s sponsors, told a conference last week that the bill had stalled in the Senate. Rogers seemed more optimistic that the bill, with a few changes, could make its way to the president (WID Sept 13 p1). Ruppersberger also said in a statement that cyber legislation is a “top priority. ... We need to work on getting as much information out there as possible to show the public how critical the need for cyber legislation is and how we can do it while still protecting privacy. ... Protecting privacy and protecting national security are not mutually exclusive goals -- we can absolutely do both at the same time and CISPA is proof of that.”

A House Homeland Security Committee aide said prospects for cybersecurity legislation seemed dimmer now than at the outset of this Congress. He said the NSA’s cyber and “black budget” programs had played a role in limiting those prospects, but so had the issuance of the president’s executive order, which set in motion energy to address cyber vulnerabilities without legislation. Friedman also said bills related to critical infrastructure had begun to stall as early as January, since the executive order had taken a number of key steps toward the framework discussion.

Experts also said even less controversial bills like the Cybersecurity Act, sponsored by Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., and ranking member John Thune, R-S.D., and which passed relatively easily out of the Commerce Committee in July (WID July 31 p1), could be hampered by the outcry over the revelations. “This is a hot-button issue for the public. Everyone’s going to look at this stuff with a jaundiced eye, even bills that would be salutary and nonobjectionable,” Roosa said. Jaycox was more optimistic about the chances of narrower cybersecurity legislation. “Those bills are probably the right approach because they focus on research and development and legislating the president’s executive order,” he said. “It does have a chance of passing.” Friedman agreed the revelations were unlikely to fully impede the passage of the narrower bill. “You can expect some of the hearings to mention the recent news, but I don’t think that would be a stumbling block,” he said. “The main reason they haven’t passed sooner is that various parties wanted to go home.”

Thune touted the Cybersecurity Act in a Friday op-ed for the U.S. Chamber of Commerce (http://freepri.se/1gaX88P). “Our bill demonstrates the path forward for other cybersecurity legislation: It should be developed in collaboration with industry and other key stakeholders if we want a solution that will truly work,” he said, saying legislation should not add regulatory burdens and should focus on areas of bipartisanship. “If we follow this course, I am confident that real improvements to our cybersecurity can be achieved.” He also said the Senate Intelligence Committee was still working on its own bill to facilitate greater sharing of cyberthreat information. Officials on that committee had no comment for this story. Aides for other lawmakers who have sponsored legislation on cybersecurity initiatives, including for Rockefeller and Thune, had no specific comment.

Even if the Rockefeller-Thune bill has a chance at passing, “the Senate’s calendar has a tremendous amount of things going on right now,” Jaycox said, pointing to the debate over the U.S. role in Syria, continuing resolutions to fund the government and the debt-ceiling fight. Friedman and Center for Democracy and Technology Senior Staff Technologist Joseph Hall echoed his comments, pointing out that the legislative agenda might be too full to address the issue, especially since the revelations seem to be continuous.

Though surveillance issues may now loom large over cybersecurity on the Hill, experts agreed that the revelations were unlikely to affect ongoing work on the NIST-facilitated Cybersecurity Framework being developed as part of President Barack Obama’s cybersecurity executive order (WID Feb 14 p1). “It won’t impact the framework much unless the framework starts to discuss cryptostandards and encryption, which it doesn’t right now,” Jaycox said. “It’s much more concerned with attacks like designated denial-of-service and simple procedures.”

The recent revelations may have shaken some critical infrastructure industry actors’ confidence in the ongoing development of the framework, but that’s more due to misperceptions of the issue than reality, said James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy Program. The revelations about the NIST-NSA connection have been deliberately spun to “do as much damage as possible,” he told us. “I know the NIST-NSA relationship really well, and the idea that NSA is doing this Svengali thing on NIST is just BS.” People are having trouble accepting that the NIST-NSA relationship in this case may not be as sinister as portrayed because “if you can’t explain how the NSA is able to break your code, there has to be a backdoor,” Lewis said. “The answer is that your code is crummy and they can break it. And no one wants to say that. The NSA’s job is to break encryption, so why are we surprised?"

But the real issue for NIST “isn’t that the framework might have been compromised by the NSA -- the issue is that the framework as currently written is unintelligible,” Lewis said. “NIST has gotten the framework’s substance largely right, but they've presented it in a way that’s so complicated it’s unimplementable.” Those problems are “absolutely fixable,” but it’s unclear whether NIST can fix them before it’s required to issue a preliminary version of the framework for public comment, he said. Obama’s cybersecurity executive order mandates NIST issue the preliminary framework by Oct. 10; a final version of the framework must be ready by mid-February.

The NSA revelations came up during a NIST-led framework development workshop last week in Dallas, with NIST Director Patrick Gallagher telling participants that “we would never work with anybody to deliberately weaken that.” NIST said last week that it was reopening the public comment period on its 800-90 standard series for random bit generators in light of the controversy caused by the NIST-NSA revelation (WID Sept 11 p1).

NIST confirmed that it will hold an additional framework development workshop in early November to gather more input following the preliminary framework’s release; the workshop in Dallas was originally supposed to be the last NIST would host. NIST and other federal agencies were still working out the final details for that workshop, but expect to release details this week, said Kevin Stine, NIST information security specialist-Computer Security Division. Robert Kolasky, Department of Homeland Security director-Implementation Task Force, urged participants at the Dallas workshop to provide additional feedback and become “early adopters” of the framework. Adam Sedgewick, NIST senior information technology policy adviser, told workshop participants during a wrapup session Friday that the agency has received feedback indicating the framework needs more refinement -- particularly the tiered rating system that will help framework adopters determine the degree to which they follow the framework. NIST is also prioritizing the inclusion of more refined best practices and standards on privacy and civil liberties protection in the framework, Sedgewick said. NIST may feel compelled to more directly address privacy protections in the framework because of the NSA controversy, “but they really ought to focus on making networks more secure,” Lewis told us. “That’s the best thing they could do for privacy.” -- Erin Mershon (emershon@warren-news.com), Jimm Phillips