Will new cybersecurity legislation pass in 2012? If yes, what will be included, what will be left out and which agencies or organizations will be in charge of various information sharing and monitoring roles? These are hot questions in DC right now.
Mark Weatherford, Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) at the US Department of Homeland Security (DHS) posted an interesting blog on Tuesday. Titled: The Private Sector Agrees, We Need Cybersecurity Legislation Now, Mark points out that the status quo is simply not acceptable.
Here’s an excerpt:
“Congress is now poised to act on cybersecurity legislation. We must balance private sector innovation with government accountability to protect the nation’s cyber networks, safeguard individual privacy, and enhance the reliability and resiliency of our critical infrastructure.
There will be debates about the legislative proposals in days and weeks ahead, but we owe the American public some basic upgrades to laws that enhance a safer cyberspace…
We need for Congress to pass legislation that allows innovative thinkers from both industry and government to come together quickly and share information that is relevant to cybersecurity. We also need for that legislation to mandate increased and more robust privacy oversight, including penalties for misuse of voluntarily shared information. I came back to Washington last week filled with hope that we can deliver all of this and more because we are all in this together.”
And Mark is not alone. The Cybersecurity Law Blog quoted numerous sources who support new legislation, albeit with different views on who should (or will) be doing what. However, the reality of a new approach was almost a given in that piece. One quote was from a cyber expert at Kaspersky Labs who said:
"After Stuxnet, I got quite involved with the U.S. critical infrastructure, and what's very clear to me is that unless things are mandated by D.C., nothing is changing . . . These companies are being run for the bottom line, and there's simply no budget for anything that's not being mandated by D.C."
The Christian Science Monitor wrote about why the Cybersecurity bill in Congress is getting a big push from the Pentagon. The first sentence sets the tone:
“What keeps Pentagon planners today up at night, even more than the threat of a terrorist attack? It is the prospect of an act of cyberwarfare – an incursion into America’s financial systems, water treatment plants, or the electrical grid that keeps lights on and homes heated….
Legislation on Capitol Hill would require a certain degree of federal oversight of cyberprotection for “critical infrastructure” such as power stations and water plants. Disabling such facilities by attacking their computer systems, say defense officials, would be a “cyber Pearl Harbor.” The bill also would require private firms to let the government know when their systems are hacked.”
The list of articles highlighting the need for cybersecurity legislation in 2012 goes on and on. So is this a done deal? Well … this is an election year and partisan battles are raging.
While some groups like ISPs and civil libertarians are still saying no new regulations are needed, the holdup seems to be dueling bills between the two sides of the isle. The public rhetoric emphasizes two extremes of a government Internet takeover on one side versus the very serious cyber threat to all critical infrastructures and our economy on the other. There is also debate over who should do what, such as should the National Security Agency (NSA) have control over domestic monitoring and/or information sharing – which would be a big change in policy.
A recent Reuters article reported this:
“A Senate aide, speaking on condition of anonymity, said the Senate is unlikely to pass either the McCain bill or the Democratic version and that talks on a possible compromise could begin in the coming weeks.
President Obama's proposed legislation, like the omnibus bill Reid wants, would leave DHS in charge of cybersecurity. DHS could ask for help from the NSA, but would be subject to closer oversight than actions led by the NSA and other parts of the Defense Department.”
What do I think? My view is that cyber legislation deal will get done in 2012.
No, I don’t have any inside knowledge. Nor do I know what will be in the final deal and what will be left out.
Nevertheless, too much is at stake to do nothing until 2013. In my view, Mark Weatherford is right that the Internet is too vital and the risks are too high to hold off.
Could cyber legislation wait until after the election in November? Possibly – with a deal coming after Thanksgiving. But I hope it doesn’t take that long.
Like many around the world – I’m watching closely and seeing cyber holes that need to be filled. Bottom line, I agree that more can be done - and needs to be done - on cybersecurrity in DC in 2012.
What are your thoughts?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.