On Valentine’s Day the Senate Homeland Security and Governmental Affairs Committee released a proposed Cybersecurity Act of 2012. The Committee’s Chairman, Joseph Lieberman (I-CT) and ranking member, Susan Collin’s (R-ME) are co-sponsors.
The roll-out has been impressive. Check out the Committee’s website for gobs of additional background. All-star testimony was taken on Thursday.
My HLSWatch colleague, Jessica Herrera-Flanigan has authored a persuasive piece for Roll Call pushing for quick adoption. Rapid approval by the Senate is a big part of the legislative strategy.
Every cyber-specialist, like Jessica, I have communicated with supports the legislation. Those on the Hill who have come out against are – so far – objecting mostly to procedural or cost concerns. (The best political update I could find on Friday morning is from Ellen Nakashima at the Washington Post.)
Yesterday I used a cross-continent flight to read the 205 pages of statutory prose. Politico called it a “door-stop of a bill.”
Taken at face-value the language could hardly be more benign.
The clear intent is to prevent when possible – and mitigate when prevention is not possible – “the risk of national or regional catastrophic damage within the United States caused by damage or unauthorized access to information infrastructure…”
To achieve this and similar goals the legislation frames and facilitates a rather intricate process of private-public consultations, information exchange, risk analyses, certification, audits, education, research, and exercises.
In a whole host of ways the language implicitly – but quite obviously – acknowledges that cyber security is not possible without extraordinary – just for emphasis: extra-ordinary – cooperation between government and the private sector and between various elements of the private sector.
As a result, the proposed legislation goes to amazing lengths to encourage information exchange on cyber threats, vulnerabilities, and more. For example, here are three sections of Title VII Information Sharing (page 163):
(d) EXEMPTION FROM PUBLIC DISCLOSURE.—An cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall be— (1) exempt from disclosure under section 552(b)(3) of title 5, United States Code, or any comparable State law; and (2) treated as voluntarily shared information under section 552 of title 5, United States Code, or any comparable State law.
(e) EXEMPTION FROM EX PARTE LIMITATIONS.— Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) shall not be subject to the rules of any governmental entity or judicial doctrine regarding ex parte communications with a decision making official.
(f) EXEMPTION FROM WAIVER OF PRIVILEGE.—Any cybersecurity threat indicator disclosed by a non-Federal entity to a cybersecurity exchange under subsection (a) may not be construed to be a waiver of any applicable privilege or protection provided under Federal, State, tribal, or territorial law, including any trade secret protection.
Please, please, please let us know when you are in danger, we promise not to hold you accountable. The federal government is made into a worried parent trying to protect a troubled teenager.
No one tells me the cyberthreat is overdone. Most tell me it is already worse than is generally known. Threats, vulnerabilities, and consequences are expected to grow.
Everyone seems ready to agree – at least behind closed-doors – the legislation is well-intended and designed to tee-up a meaningful process of private-public consultations, not pre-ordain the results of that consultation. If anything, many cybersecurity mavens find the proposed language entirely too tentative and toothless.
But one Chief Information Officer I talked with calls the bill a “Trojan horse, superficially attractive and deeply dangerous.” According to this person the legislation is fundamentally flawed because it moves the focus of discussion from collaboration to compliance. “As soon as compliance is the agenda,” he says, “the lawyers take over. We will hardly ever see a technologist again. That’s not what we need. They are going to replace a messy, difficult, but realistic process of collaboration with an orderly and mostly meaningless process of certification and compliance. Risk management is hard. Compliance is easy. In one case you invest in real outcomes, in the other you create a legally defensible illusion.”
When I outlined the CIO’s critique to a self-defined “Hill Rat” (and lawyer) who has been involved in cybersecurity, he responded, “The lawyers are already too involved. That’s been a problem. It’s been easy for government relations people to show up. We need CIOs, CTOs, CFOs, COOs, and CEOs. One way to read the legislation is as a small but very sharp blade to cut through the veil of lawyers behind which too many of our cyber-assets are obscured. No one wants to regulate, but we need to get real about the risk.”
As the Congressional staffer continued he went even further, “You know what? This is really an anti-regulation bill. Unless we do something like this and get much better at the drill than today, a major system is going to be taken down and people will die. Russian mafia, Iranian Quds, Chinese class project – who knows who? Then just imagine the rush to regulation.”
Maybe I am overly influenced by two men who were each speaking with evident candor and concern. But I come away thinking they are probably both right.
The issue is not so much current Congressional intent as longer-term execution. Whenever legislation is adopted, how can we keep the focus on substantive collaboration? Next Friday I will offer a suggestion.