July 20, 2014    /    by

Outlook for federal action in cyberspace: Expect new net neutrality rules but no cyber laws anytime soon

As we head into the mid-term elections, what cyber policy action is likely in 2014?

Net Neutraity

Photo Credit: Shutterstock

There are a few recurring hot topics that keep coming back again and again inside the DC beltway regarding the Internet. Much of the current tech policy debate resolves around two broad questions:

-          What is happening with federal cyber legislation?

-          What new rules will be implemented by the FCC regarding net neutrality?

Although these technology issues are very complex, with a dizzying array of advocates and dissenters offering hundreds of legal perspectives, lasting answers seem allusive. Just when it looks as if a breakthrough or specific policy direction is winning the day, the wind shifts and the other side(s) counterattacks with new or recycled arguments.

Yes, the stakes are high – and getting higher.

Nevertheless, opposing sides point to dozens of viral articles to support their evolving positions. From new Edward Snowden revelations about the National Security Agency (NSA) to foreign and domestic enemies hacking major retailers, plenty of examples are available to defend conflicting national security, economic or telecommunication arguments.   

Through it all, we are tempted to fall back into the view that: "I’ve seen this movie before and know the ending."

Here are some of the latest developments regarding these two vital questions - along with near-term predictions on answers. 

CISA Passes Senate Select Committee

A few weeks back, cybersecurity experts became excited when new cybersecurity legislation cleared the Senate Intelligence Committee. As reported by InfoWars.com, the bipartisan bill was:

Written by Senate Intelligence Chair Dianne Feinstein (D-CA) and Senator Saxby Chambliss (R-GA), CISA – or Cybersecurity Information Sharing Act – is widely seen as a redux of last year’s CISPA bill, which was widely protested by online privacy watchdogs and ultimately defeated in Congress.

What does the bill do? According to Forbes, the legislation:

·         Requires the director of national intelligence to increase the sharing of classified and unclassified cyber threat information to the private sector, consistent with the protection of sources and methods.

·         Authorizes individuals and companies to monitor their own computer networks and those of their consenting customers for cyber threats and to implement countermeasures to block those threats.

·         Authorizes the voluntary sharing of cyber threat information by individuals and companies with each other and with the government. Such sharing is for cybersecurity purposes only and companies must take appropriate measures to protect against the sharing of personally identifying information.

·         Puts in place liability protections for individuals and companies that appropriately monitor their networks or share cyber information.

·         Requires federal government procedures for the receipt, sharing and use of cyber information. This includes the establishment of a “portal” managed by the Department of Homeland Security through which electronic cyber information will enter the government and be shared with other appropriate federal entities.

·         Limits the government’s ability to use information it receives to cyber-related purposes to ensure it does not engage in inappropriate investigations or regulation.

·         Requires reports on the implementation of these authorities by the heads of federal departments, the Privacy and Civil Liberties Oversight Board and relevant inspectors general.

Why is this bill doomed?

Nevertheless, the Washington Post summarized cyber legislation developments this way:

Privacy watchdogs are up in arms about the latest legislative attempt providing a framework for cybsersecurity information sharing, Julian Hattem at the Hill reports. "The Cybersecurity Information Sharing Act (CISA) makes it possible for companies and government agencies to share information about possible hackers and security weaknesses with each other, which advocates say is critical to make sure that blind spots aren’t left untended for long." But privacy groups warn the bill goes too far, saying it doesn't include enough safeguards to protect civil liberties.

Government Technology Magazine also reported that the bill is drawing criticism:

Jake Laperruque, a fellow at the nonprofit Center for Democracy and Technology, said the bill has a well-meaning purpose—making it easier for businesses to relay information to federal authorities—but contains vague language and broad concepts that raise serious privacy concerns.

He said that there are no clear limits on what information can be shared or used, and that preserving the privacy of names, IP addresses and other personal information in what gets shared is not guaranteed.

But perhaps just as important are the results a simple Google search returns when you enter: “CISA passes Senate Select Committee.”

I was surprised to discover that four of the first six top results were very negative, with top articles such as:

Nightmare for Americans: Senate Passes CISA Cybersecurity Bill

Privacy-Killing Cybersecurity Bill CISA Passes Senate...

Senate Moves Closer to Seizing Control of Cyberspace

Comments on New Net Neutrality Rules

Meanwhile, over at the Federal Communications Commission (FCC), more than a million comments have been received regarding new net neutrality guidance. According to Reuters:

U.S. companies, consumer advocates and citizens submitted more than 1 million comments to the Federal Communications Commission, drawing contentious divisions on the issue of net neutrality as the first deadline to comment approached Friday.

The FCC will continue collecting comments, made in response to these first submissions, until Sept. 10 as it weighs how best to regulate the way Internet service providers (ISPs) manage web traffic crossing their networks. FCC Chairman Tom Wheeler proposed new rules in April after a federal court struck down the FCC's previous version of such rules in January.

The FCC's draft rules propose banning ISPs from blocking users' access to websites or applications but allowing some "commercially reasonable" deals between content providers and ISPs to prioritize delivery of some web traffic.

There is immense public interest surrounding the actions of FCC Chairman Tom Wheeler and what will happen this fall regarding new rules. Both sides of this debate believe that the future of the Internet as we know it is at stake.

Forbes.com offered this opinion worth reading by Larry Downes entitled: The biggest net neutrality lie of all.

Each of these lies has been built on top of the others, and all in the service of the biggest lie of all—a recycled whopper that the Internet “as we know it” is at death’s door, and that the only way to save it is to transform it into a public utility.

I happen to agree with Downes that new FCC proposals are not nearly as radical as most people claim they are. Mr. Downes also wrote:

Yet once the proposal was actually released, it was clear to anyone who bothered to read it that Wheeler’s plan was anything but the radical deconstruction of the Open Internet its opponents claimed it to be.

It appears that some new FCC Internet rules will be implemented this fall. I suspect that both sides will be unsatisfied. I also expect that this will happen after the mid-term election in November.

The past and future for cyber legislation?

Cyber experts have been calling for new cybersecurity legislation for several years now. This commentator wrote similar articles and asked similar questions in 2012:

Will new cybersecurity legislation pass in 2012? If yes, what will be included, what will be left out and which agencies or organizations will be in charge of various information sharing and monitoring roles? These are hot questions in DC right now.

Mark Weatherford, Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) at the US Department of Homeland Security (DHS) posted an interesting blog on Tuesday.  Titled: The Private Sector Agrees, We Need Cybersecurity Legislation Now, Mark points out that the status quo is simply not acceptable.

And cyber legislation was again being debated in earnest in 2013:

Second, there is bipartisan support for cyber legislation, and there remains hope that some legislation could still pass this year.

Now in 2014, barring a major cyber event that rocks the nation, it appears that cyber legislation will remain in limbo – despite the fact that a bipartisan 12-2 majority supports the items contained in the bill.

But why no progress? What seems to be holding up the sharing of cyber intelligence and the other important actions listed above?

One answer: The Edward Snowden revelations have diminished the trust in government to do the right things with our information in order to protect the nation from cyberattacks. Privacy advocates will stop new steps in sharing sensitive information.

Which leads to another question: Will it take a major Internet incident to break the ongoing cyber legislation deadlock?