As most members of Congress busied themselves with the election, the debate around the future of cybersecurity legislation in the United States continues to rage in Washington.
The current session has been a bumpy one for advocates of increased government oversight in the cybersecurity field. A highly anticipated bipartisan bill developed over the past three years by Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), and Jay Rockefeller (D-WV) stumbled over concerns about excessive regulation. The House of Representatives alternative, less prescriptive and more acceptable to the business community, was labeled as a non-starter by the Obama Administration and leading privacy groups.
All sides agree that a problem exists; there is simply no agreement on how to move forward to solve it and frustrations are building in both parties.
In September, after the Senate failed to move a revised Lieberman-Collins-Rockefeller draft, Sen. Rockefeller fired off a letter to the CEOs of every Fortune 500 corporation asking directly for their views on the programs proposed by the legislation. The move was widely interpreted as an attempt to separate the individual business leaders from the negative stance the U.S. Chamber of Commerce, the voice of business in Washington, D.C., took on the bill. The Chamber has shown no sign of softening its position on the bill in response.
Also in September, the Administration, which supports the Lieberman-Collins-Rockefeller proposal, leaked a draft executive order that would unilaterally establish certain elements of the Lieberman-Collins-Rockefeller bill. Like Sen. Rockefeller’s letter, this was viewed as a negotiating tactic designed to force opponents to strike a deal. The response so far has been negative. Representative Mike Rogers (R-MI), Chairman of the House Intelligence Committee and lead sponsor of the House bill, called the order “irresponsible.” Even Sen. Collins labeled it a “big mistake.”
Chairman Rogers recently tried to create some pressure of his own by hinting at emerging cyber threats that were revealed in recent classified briefings to members of Congress. He is quoted as saying “It appears to be a new level of threat. I want to be careful about what I say here, but it would target our networks from an unusual source.” He went on to state that “I think that particular briefing rekindled people’s interest in trying to get something done during the lame duck.” Of course, Chairman Rogers believes that the bill in which interest should be “rekindled” is the one passed by the House.
It is unclear whether any of these maneuvers will impact the stalemate currently surrounding cybersecurity. The primary sticking points continue to be privacy concerns related to information-sharing and worries about excessive authority for federal agencies.
The House bill, officially titled the Cyber Intelligence Sharing and Protection Act (CISPA), would enable companies to share cyber threat information with each other and the government. The hope is that information sharing will lead to cooperative efforts to identify and combat cyber threats.
The Senate bill, titled the Cybersecurity Act (CSA), empowers companies to share cyber threat information with each other and government agencies as well. However, CSA also grants the Department of Homeland Security (DHS) authority to set minimum security standards for certain critical infrastructure systems. As originally drafted, the standards put forward by DHS would be mandatory for certain industries. After it became clear that this approach would not win sufficient support, however, the lead sponsors made the standards voluntary and added liability incentives to coax companies to comply.
Privacy advocates, such as the American Civil Liberties Union (ACLU), prefer the protections offered by the CSA to those in the CISPA. These include provisions that require companies to report information directly to civilian customers, as opposed to military; limitations on the use of cyber threat data; and provisions that ensure personally identifying information is stripped from submissions to federal agencies.
The business community is completely in favor of information sharing and liability protection but dislikes the promulgation of minimum standards, voluntary or otherwise, by the federal government. The Administration and supporters of the CSA feel that minimum standards are essential in order to ensure adequate protection of vital networks.
Chairman Rogers believes that a bill along the lines of CISPA is the only plausible option at this point. He says that CISPA, and the information sharing approach it embodies, is “[t]he only bill that is bipartisan, that’s passed a committee...that has had hours and hours and hours of input from end users.” He believes that lawmakers should pass something on information sharing in the lame duck and leave any discussions about mandatory or voluntary minimum standards to the next Congress.
If the Obama Administration is serious about its executive order, there is a chance that Chairman Rogers could get his wish. Supporters of minimum standards, if assured of a second Obama term and a serious effort to construct a voluntary minimum standards program through executive order, could coalesce around an information sharing-only bill in the lame duck session that follows the election as a backdoor way to get most of what they wanted in CSA. Then again, they might not and the stalemate could continue into the 113th Congress.
Pierce Blue graduated from the Georgetown University Law School and served as a Teaching Fellow and Supervising Attorney at the law school's Federal Legislation Clinic, where he represented non-profit clients in their dealings with Congress and the federal agencies.
This article was originally published in the Diplomatic Courier's November/December 2012 print edition.
a global affairs media network
The Future of Cybersecurity Legislation: Will the Congress Act?
December 4, 2012
As most members of Congress busied themselves with the election, the debate around the future of cybersecurity legislation in the United States continues to rage in Washington.
The current session has been a bumpy one for advocates of increased government oversight in the cybersecurity field. A highly anticipated bipartisan bill developed over the past three years by Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), and Jay Rockefeller (D-WV) stumbled over concerns about excessive regulation. The House of Representatives alternative, less prescriptive and more acceptable to the business community, was labeled as a non-starter by the Obama Administration and leading privacy groups.
All sides agree that a problem exists; there is simply no agreement on how to move forward to solve it and frustrations are building in both parties.
In September, after the Senate failed to move a revised Lieberman-Collins-Rockefeller draft, Sen. Rockefeller fired off a letter to the CEOs of every Fortune 500 corporation asking directly for their views on the programs proposed by the legislation. The move was widely interpreted as an attempt to separate the individual business leaders from the negative stance the U.S. Chamber of Commerce, the voice of business in Washington, D.C., took on the bill. The Chamber has shown no sign of softening its position on the bill in response.
Also in September, the Administration, which supports the Lieberman-Collins-Rockefeller proposal, leaked a draft executive order that would unilaterally establish certain elements of the Lieberman-Collins-Rockefeller bill. Like Sen. Rockefeller’s letter, this was viewed as a negotiating tactic designed to force opponents to strike a deal. The response so far has been negative. Representative Mike Rogers (R-MI), Chairman of the House Intelligence Committee and lead sponsor of the House bill, called the order “irresponsible.” Even Sen. Collins labeled it a “big mistake.”
Chairman Rogers recently tried to create some pressure of his own by hinting at emerging cyber threats that were revealed in recent classified briefings to members of Congress. He is quoted as saying “It appears to be a new level of threat. I want to be careful about what I say here, but it would target our networks from an unusual source.” He went on to state that “I think that particular briefing rekindled people’s interest in trying to get something done during the lame duck.” Of course, Chairman Rogers believes that the bill in which interest should be “rekindled” is the one passed by the House.
It is unclear whether any of these maneuvers will impact the stalemate currently surrounding cybersecurity. The primary sticking points continue to be privacy concerns related to information-sharing and worries about excessive authority for federal agencies.
The House bill, officially titled the Cyber Intelligence Sharing and Protection Act (CISPA), would enable companies to share cyber threat information with each other and the government. The hope is that information sharing will lead to cooperative efforts to identify and combat cyber threats.
The Senate bill, titled the Cybersecurity Act (CSA), empowers companies to share cyber threat information with each other and government agencies as well. However, CSA also grants the Department of Homeland Security (DHS) authority to set minimum security standards for certain critical infrastructure systems. As originally drafted, the standards put forward by DHS would be mandatory for certain industries. After it became clear that this approach would not win sufficient support, however, the lead sponsors made the standards voluntary and added liability incentives to coax companies to comply.
Privacy advocates, such as the American Civil Liberties Union (ACLU), prefer the protections offered by the CSA to those in the CISPA. These include provisions that require companies to report information directly to civilian customers, as opposed to military; limitations on the use of cyber threat data; and provisions that ensure personally identifying information is stripped from submissions to federal agencies.
The business community is completely in favor of information sharing and liability protection but dislikes the promulgation of minimum standards, voluntary or otherwise, by the federal government. The Administration and supporters of the CSA feel that minimum standards are essential in order to ensure adequate protection of vital networks.
Chairman Rogers believes that a bill along the lines of CISPA is the only plausible option at this point. He says that CISPA, and the information sharing approach it embodies, is “[t]he only bill that is bipartisan, that’s passed a committee...that has had hours and hours and hours of input from end users.” He believes that lawmakers should pass something on information sharing in the lame duck and leave any discussions about mandatory or voluntary minimum standards to the next Congress.
If the Obama Administration is serious about its executive order, there is a chance that Chairman Rogers could get his wish. Supporters of minimum standards, if assured of a second Obama term and a serious effort to construct a voluntary minimum standards program through executive order, could coalesce around an information sharing-only bill in the lame duck session that follows the election as a backdoor way to get most of what they wanted in CSA. Then again, they might not and the stalemate could continue into the 113th Congress.
Pierce Blue graduated from the Georgetown University Law School and served as a Teaching Fellow and Supervising Attorney at the law school's Federal Legislation Clinic, where he represented non-profit clients in their dealings with Congress and the federal agencies.
This article was originally published in the Diplomatic Courier's November/December 2012 print edition.