Since this seems to be the murky outlook issue, let’s take a look at the status of cybersecurity legislation. The competition among bills has boiled down to a sort of Final Four, only there are no playoff games scheduled at the moment. Somehow the republic survives without cyber legislation, and the longer this goes on the less urgent the whole thing seems in the first place. Actually it’s the final three and a half, plus the White House proposal.
The two main Senate competitors:
- The SECURE IT Act (Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology) is the work of Sen. John McCain (R-Ariz.) and other GOP members.
- The Cybersecurity Act of 2012, the work of Sen. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W. Va.) and Diane Feinstein (D. Calif.)
In the House is the somewhat controversial CISPA ⎯ the Cyber Intelligence Sharing and Protection Act from Rep. Mike Rogers (R. Mich). It’s passed the House, which is more progress than any of the Senate bills.
And then the Obama administration has its wish list, elements of which are found in all of the bills, though not completely in any of them. They all address the need for information sharing on cyber matters between the private sector operators of critical infrastructure ⎯ and “critical” creates a pretty high barrier ⎯ together with privacy oversight and protection. The main difference between the two Senate bills: Lieberman puts Homeland Security at the center of information sharing, and McCain spreads it more throughout the government. CISPA has the intelligence community at the center of information sharing, and that scares the privacy groups.
The bills have subtle differences, but not deep ideological chasms between them.
The impasse in the Senate seems to center on whether Homeland Security could regulate cybersecurity practices of those critical infrastructure operators ⎯ yes in Lieberman, no in McCain. The White House, which in 2009 said it did not want to regulate private industry cybersecurity, in fact favors it now. There is a third, middle ground bill in the Senate that tries to bridge the gap. It was introduced by Senators John Kyl (R-Ariz.) and Sheldon Whitehouse (D-R.I.) and has gone nowhere. This Hill blog post sums up the stalemate.
As for how the federal government approaches its own cybersecurity practices, that seems to me moving along nicely without any legislation. In a recent interview by Federal News Radio’s Jason Miller, DHS’s John Streufert, of continuous network monitoring fame, described efforts to update how agencies in fact do their cybersecurity. The issue here is that Congress will eventually have a say because DHS is requesting $200 million in 2013 for common, governmentwide tools. In the meantime, an early administration internal reporting tool, CyberScope, is widely (but not yet universally) supported by agencies.
Government agencies across the board are improving access controls and, thanks to the cloud computing and mobility drives, are looking at end points and data in transit and at rest.
The fact is, legislation is a lousy way to prescribe fine-grained behavior in a dynamic environment. Sufficient technology and managerial knowledge exist within the federal management and contractor support community. Legislating how agencies do cybersecurity would, in my opinion, be superfluous at this point. Congress should set performance standards, OMB can operationalize them, and agencies can carry them out.
As for private critical infrastructure, the recent extended power outages in Washington and surrounding suburbs and exurbs updated a lot of people’s thinking. It turns out, incompetent utility management, toothless state regulators and old, crumbling infrastructures pose real, and not theoretical, threats to the economy and people’s lives. There’s no federal bill pending for those problems.