Cybersecurity Proposals Begin to Meld
"Any approach that would advance legislation would be a plus," said James Lewis, director and senior fellow at CSIS. "The Senate bill is a big bill, but it's not necessarily comprehensive. What we are seeing with the various bills and the Task Force report is that we are starting to gain a consensus of what we need to do as a country on cybersecurity."
Prospects for enacting an ambitious and comprehensive national cybersecurity protection program during this year's congressional session may be fading. That's the bad news. The good news is that various approaches to a cybersecurity agenda may be melding into a program that is acceptable to politicians of both parties and to e-commerce businesses as well.
In addition, it now appears that the way to achieve legislative success is to enact smaller, more manageable components of a cybersecurity program rather than a major comprehensive bill.
In a move to speed up the legislative process, House Speaker John Boehner. R-Ohio, charged a special task force to come up with a set of cybersecurity recommendations embracing the interests of nine different House committees that have jurisdiction in IT protection. The House Republican Cyber Security Task force unveiled its recommendations Oct. 5.
"These recommendations provide sound, concrete steps to help strengthen our cybersecurity now, while also highlighting issues that need more work," said Rep. Mac Thornberry, R-Texas, who chaired the group.
Breaking the Logjam
A major thrust of the task force effort appeared to reflect legislative realities for avoiding procedural logjams. The report focuses on four components of cyberprotection -- each of which could be addressed by an individual bill.
"Legislative packaging and vehicles must, of course, be decided by the House leadership, but we are generally skeptical of large, 'comprehensive' bills on complex topics, at least as the bills are being written. Individual bills could, of course, be packaged together at some point later in the legislative process," the report notes.
A few components could be addressed individually to move legislation along, suggested Thornberry. Separate proposals dealing with incentives for business, information sharing, and the updating of relevant laws "can lead to real progress rather than more gridlock like we have seen with larger proposals."
Key lawmakers from different parties viewed the House report favorably.
"The recommendations offered by the House Task Force are another sign that members in both chambers and on both sides of the aisle recognize that we must take steps to better protect America's critical data and infrastructure networks," said Sen. Tom Carper, D-Del.
"While we might differ in some areas, we agree in others. We should come together and redouble our efforts to pass this much needed cybersecurity legislation as soon as possible," he added.
"The House Task Force is right to identify cybersecurity as a major national security concern. While our approaches differ in a few respects, we share many areas of agreement on how to strengthen our defenses against cyberattacks," said Sen. Susan Collins, R-Me.
The report also garnered a positive response from an official deeply involved with the Obama administration's efforts in cybersecurity.
"The administration commends the House Republican Cyber Task Force for this contribution to the cybersecurity policy discussion," Ari Schwartz, senior Internet policy advisor at the National Institute of Standards and Technology (NIST), told CRM Buyer.
"The administration is working on many fronts to protect Americans and improve our nation's cybersecurity. Legislation is an important component of these efforts," he added.
NIST, a unit of the Department of Commerce, is developing many of the criteria to facilitate improved Internet protection.
"The administration urges Congress to enact legislation as quickly as possible to ensure the security of the networks upon which the economic and national security of our nation rests. There is an imperative for legislative action in this Congress. We need to modernize the law to ensure that our country's infrastructure remains protected against cyberthreats," Schwartz said.
"At this point, whether it's a comprehensive bill or a plan to enact different components separately, any approach that would advance legislation would be a plus," said James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS).
"The Senate bill is a big bill, but it's not necessarily comprehensive. What we are seeing with the various bills and the Task Force report is that we are starting to gain a consensus of what we need to do as a country on cybersecurity," he told CRM Buyer.
The Private and Public Issue
The Task Force document may also serve as a catalyst for engaging private sector support for a federal program.
"There are common areas in the recommendations with previously released White House and Senate proposals, including data breach notification legislation, Federal Information Security Management Act (FISMA) reform, ensuring liability protection for industry, and enabling information sharing between the government and the private sector. These four areas provide momentum for much-needed legislation that should happen this year," said Liesyl Franz, TechAmerica's vice president of cybersecurity and global public policy.
In substance, while the Task Force admits that the government must be involved in cybersecurity policy, the group stresses that such a role should be limited. Critical infrastructure assets, such as power and telecommunications, are mostly owned by the private sector, the report notes.
"Yet we have been told that the free market alone may not be able to improve security sufficiently. The return on investment may be hard to prove, and businesses will only do what makes sense for the bottom line," it says.
To address this conflict, the group recommends that Congress adopt a menu of voluntary incentives to encourage private companies to improve cybersecurity. Tax credits, liability protections for compliance with security "best practices," and other tools could be used as incentives.
The tricky area of information sharing poses a similar dilemma.
"Private sector entities control the vast majority of information networks and assets vulnerable to a cyber attack. Consequently, such entities are often in the best position to identify and defend against cyber-related threats," the report notes.
To promote security, "Congress should facilitate an organization outside of government to act as a clearing house of information and intelligence sharing between the government and critical infrastructure to improve security and disseminate real-time information designed to help target and defeat malicious cyber activity," it says.
"We appreciate that the Task Force has focused on enhancing incentives, not increasing regulations, to encourage private companies to step-up cybersecurity," said Ken Wasch, president of the Software & Information Industry Association (SIIA). "In the fast-changing world of cybersecurity, strict mandates could hinder businesses from adapting to the ever-changing technology landscape."