March 8, 2012 By Dan Lohrmann
Will new cybersecurity legislation pass in 2012? If yes, what will be included, what will be left out and which agencies or organizations will be in charge of various information sharing and monitoring roles? These are hot questions in DC right now.
Mark Weatherford, Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) at the US Department of Homeland Security (DHS) posted an interesting blog on Tuesday. Titled: The Private Sector Agrees, We Need Cybersecurity Legislation Now, Mark points out that the status quo is simply not acceptable.
Here’s an excerpt:
“Congress is now poised to act on cybersecurity legislation. We must balance private sector innovation with government accountability to protect the nation’s cyber networks, safeguard individual privacy, and enhance the reliability and resiliency of our critical infrastructure.
There will be debates about the legislative proposals in days and weeks ahead, but we owe the American public some basic upgrades to laws that enhance a safer cyberspace…
We need for Congress to pass legislation that allows innovative thinkers from both industry and government to come together quickly and share information that is relevant to cybersecurity. We also need for that legislation to mandate increased and more robust privacy oversight, including penalties for misuse of voluntarily shared information. I came back to Washington last week filled with hope that we can deliver all of this and more because we are all in this together.”
And Mark is not alone. The Cybersecurity Law Blog quoted numerous sources who support new legislation, albeit with different views on who should (or will) be doing what. However, the reality of a new approach was almost a given in that piece. One quote was from a cyber expert at Kaspersky Labs who said:
"After Stuxnet, I got quite involved with the U.S. critical infrastructure, and what's very clear to me is that unless things are mandated by D.C., nothing is changing . . . These companies are being run for the bottom line, and there's simply no budget for anything that's not being mandated by D.C."
The Christian Science Monitor wrote about why the Cybersecurity bill in Congress is getting a big push from the Pentagon. The first sentence sets the tone:
“What keeps Pentagon planners today up at night, even more than the threat of a terrorist attack? It is the prospect of an act of cyberwarfare – an incursion into America’s financial systems, water treatment plants, or the electrical grid that keeps lights on and homes heated….
Legislation on Capitol Hill would require a certain degree of federal oversight of cyberprotection for “critical infrastructure” such as power stations and water plants. Disabling such facilities by attacking their computer systems, say defense officials, would be a “cyber Pearl Harbor.” The bill also would require private firms to let the government know when their systems are hacked.”
The list of articles highlighting the need for cybersecurity legislation in 2012 goes on and on. So is this a done deal? Well … this is an election year and partisan battles are raging.
While some groups like ISPs and civil libertarians are still saying no new regulations are needed, the holdup seems to be dueling bills between the two sides of the isle. The public rhetoric emphasizes two extremes of a government Internet takeover on one side versus the very serious cyber threat to all critical infrastructures and our economy on the other. There is also debate over who should do what, such as should the National Security Agency (NSA) have control over domestic monitoring and/or information sharing – which would be a big change in policy.
A recent Reuters article reported this:
“A Senate aide, speaking on condition of anonymity, said the Senate is unlikely to pass either the McCain bill or the Democratic version and that talks on a possible compromise could begin in the coming weeks.
President Obama's proposed legislation, like the omnibus bill Reid wants, would leave DHS in charge of cybersecurity. DHS could ask for help from the NSA, but would be subject to closer oversight than actions led by the NSA and other parts of the Defense Department.”
What do I think? My view is that cyber legislation deal will get done in 2012.
No, I don’t have any inside knowledge. Nor do I know what will be in the final deal and what will be left out.
Nevertheless, too much is at stake to do nothing until 2013. In my view, Mark Weatherford is right that the Internet is too vital and the risks are too high to hold off.
Could cyber legislation wait until after the election in November? Possibly – with a deal coming after Thanksgiving. But I hope it doesn’t take that long.
Like many around the world – I’m watching closely and seeing cyber holes that need to be filled. Bottom line, I agree that more can be done - and needs to be done - on cybersecurrity in DC in 2012.
What are your thoughts?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.