Homeland Security Watch

News and analysis of critical issues in homeland security

February 17, 2012

Cybersecurity Act: Collaboration v. Compliance?

Filed under: Congress and HLS,Cybersecurity,Private Sector — by Philip J. Palin on February 17, 2012

On Valentine’s Day the Senate Homeland Security and Governmental Affairs Committee released a proposed Cybersecurity Act of 2012.  The Committee’s Chairman, Joseph Lieberman (I-CT) and ranking member, Susan Collin’s (R-ME) are co-sponsors.

The roll-out has been impressive.  Check out the Committee’s website for gobs of additional background.  All-star testimony was taken on Thursday.

My HLSWatch colleague, Jessica Herrera-Flanigan has authored a persuasive piece for Roll Call pushing for quick adoption.  Rapid approval by the Senate is a big part of the legislative strategy.

Every cyber-specialist, like Jessica, I have communicated with supports the legislation.  Those on the Hill who have come out against are – so far – objecting mostly to procedural or cost concerns. (The best political update I could find on Friday morning is from Ellen Nakashima at the Washington Post.)

Yesterday I used a cross-continent flight to read the 205 pages of statutory prose.  Politico called it a “door-stop of a bill.”

Taken at face-value the language could hardly be more benign.

The clear intent is to prevent when possible – and mitigate when prevention is not possible – “the risk of national or regional catastrophic damage within the United States caused by damage or unauthorized access to information infrastructure…”

To achieve this and similar goals the legislation frames and facilitates a rather intricate process of private-public consultations, information exchange, risk analyses, certification, audits, education, research, and exercises.

In a whole host of ways the language implicitly – but quite obviously – acknowledges that cyber security is not possible without extraordinary – just for emphasis: extra-ordinary – cooperation between government and the private sector and between various elements of the private sector.

As a result, the proposed legislation goes to amazing lengths to encourage information exchange on cyber threats, vulnerabilities, and more.  For example, here are three sections of Title VII Information Sharing (page 163):

(d) EXEMPTION FROM PUBLIC DISCLOSURE.—An cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall be— (1) exempt from disclosure under section 552(b)(3) of title 5, United States Code, or any comparable State law; and (2) treated as voluntarily shared information under section 552 of title 5, United States Code, or any comparable State law.

(e) EXEMPTION FROM EX PARTE LIMITATIONS.— Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall not be subject to the rules of any governmental entity or judicial doctrine regarding ex parte communications with a decision making official.

(f) EXEMPTION FROM WAIVER OF PRIVILEGE.—Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) may not be construed to be a waiver of any applicable privilege or protection provided under Federal, State, tribal, or territorial law, including any trade secret protection.

Please, please, please let us know when you are in danger, we promise not to hold you accountable. The federal government is made into a worried parent trying to protect a troubled teenager.

No one tells me the cyberthreat is overdone.   Most tell me it is already worse than is generally known. Threats, vulnerabilities, and consequences are expected to grow.

Everyone seems ready to agree – at least behind closed-doors – the legislation is well-intended and designed to tee-up a meaningful process of private-public consultations, not pre-ordain the results of that consultation.  If anything, many cybersecurity mavens find the proposed language entirely too tentative and toothless.

But one Chief Information Officer I talked with calls the bill a “Trojan horse, superficially attractive and deeply dangerous.”  According to this person the legislation is fundamentally flawed because it moves the focus of discussion from collaboration to compliance.  “As soon as compliance is the agenda,” he says, “the lawyers take over. We will hardly ever see a technologist again.  That’s not what we need.  They are going to replace a messy, difficult, but realistic process of collaboration with an orderly and mostly meaningless process of certification and compliance.  Risk management is hard.  Compliance is easy.  In one case you invest in real outcomes, in the other you create a legally defensible illusion.”

When I outlined the CIO’s critique to a self-defined “Hill Rat” (and lawyer) who has been involved in cybersecurity, he responded, “The lawyers are already too involved.  That’s been a problem.  It’s been easy for government relations people to show up.   We need CIOs, CTOs, CFOs, COOs, and CEOs.  One way to read the legislation is as a small but very sharp blade to cut through the veil of lawyers behind which too many of our cyber-assets are obscured.  No one wants to regulate, but we need to get real about the risk.”

As the Congressional staffer continued he went even further, “You know what?  This is really an anti-regulation bill. Unless we do something like this and get much better at the drill than today, a major system is going to be taken down and people will die.  Russian mafia, Iranian Quds, Chinese class project – who knows who?  Then just imagine the rush to regulation.”

Maybe I am overly influenced by two men who were each speaking with evident candor and concern.   But I come away thinking they are probably both right.

The issue is not so much current Congressional intent as longer-term execution.  Whenever legislation is adopted, how can we keep the focus on substantive collaboration?  Next Friday I will offer a suggestion.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print

8 Comments »

Comment by William R. Cumming

February 17, 2012 @ 6:52 am

Definitely an arena for difficult line drawing and tradeoffs. Yet compliance vis a vis collaboration is not as rigid a wall as some might believe. Usually industry looks to incentives as to it compliance efforts and standardization and uniformity often not enough selling points.

I think the real question is not the one being asked! Fundamentally with the average family’s telecommunications costs on a monthly basis about to crash the $400 per month level some might ask why given the “free” market is this happening and why should a telecommunications industry so heavily subsidized also have its security issues subsidized?

The airways are not free and not unlimited in their access or utility. The Block D issue is an example.

Clearly there are national security aspects to this discussion. WWI was fought with telegraph and landlines. WWII radio. Now as many of stated the next war may involve cyber and internet issues as outcome determinative in many ways.

It is not just the lawyers but those who understand that the public domain is largely a myth in the USA since from despoiling the commons or exploiting it for private purposes is the game with all cost of that exploitation of the commons born by the public with the benefit private.

So start holding hearings on who benefits, how, and why from the absence or presence of cyber security and why is this suddenly considered not just a critical infrastructure protection issue but one of who is in charge and who can do what.

This is one arena that the former OTA [Office of Technology Assessment] could have helped Congress if not destroyed by that prominent advocate of technology New Gingrich.

I argue that ignorance lies behind this statutory proposal and wondering why? And unlikely that given this election year any such legislation will pass unless almost no one follows it or even reads it. Or I forgot Congress no longer often reads it own proposals so perhaps it will pass.

And how is censorship treated under the new bill? Even mentioned?

Comment by Philip J. Palin

February 17, 2012 @ 4:52 pm

The February 18 edition of The Economist (http://www.economist.com/) is giving special attention to “Over-regulated America.” This is relevant to the cybersecurity legislation, especially in that The Economist is not offering knee-jerk opposition to regulation per-se, but is giving thoughtful consideration to what makes some regulatory approaches effective and others counterproductive.

Comment by The Doomsayer

February 18, 2012 @ 8:20 pm

The clock is ticking..let’s get these far too regulated mandates off the books and begin addressing reality!

Pingback by Library: A Round-up of Reading | Res Communis

February 20, 2012 @ 12:51 pm

[...] Cybersecurity Act: Collaboration v. Compliance? – Homeland Security Watch [...]

Pingback by Homeland Security Watch » Creating a Cyber Coast Guard

February 24, 2012 @ 12:11 am

[...] Last Friday I outlined the perceived — in my judgment, real — tension between collaborat… will require. The real debate is over how to resolve this tension: with more dependence on voluntary cooperation or the threat of regulation. (To be clear, the proposal unveiled on February 14 by Senators Lieberman, Collins, and others does not create new regulations per se, but it does initiate a public-private process that would eventually create a regulatory regime.) [...]

Pingback by Homeland Security Watch » Cybersecurity: Pro and con for wonks

April 25, 2012 @ 6:13 am

[...] below for more attention from HLSWatch.  A prior post on a related Senate proposal is available here. More to come. Share and Enjoy: Tweet This Post Permalink | | Comment on this Post [...]

Pingback by Homeland Security Watch » Government and the cyber-domain; or command-and-control encounters complexity

September 26, 2012 @ 7:59 am

[...] complicated the legislative process.  I already gave attention to many of these issues in a February post.  Whatever the text of the Executive  Order these complications will [...]

Comment by debt consolidation loans

August 2, 2013 @ 4:51 am

Wow, this paragraph is good, my sister is analyzing these things, therefore I am
going to let know her.

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>