This should be the year that significant bipartisan progress is made on cybersecurity legislation, with new laws set to pass on issues ranging from data breach notification to sharing sensitive cyber intelligence between the public and private sectors. In fact, since President Obama and Republican congressional leaders can't agree on much else, cybersecurity action is moving to center stage.
credit: Flickr/White House Photo by Pete Souza
When President Obama delivers his seventh State of the Union address tomorrow night, cybersecurity plans will be one of many topics – but cyber action is at the top of a short bipartisan “to do” list.
While many other proposals that will be championed by the President, such as free community college tuition and higher taxes on the wealthy, have grabbed recent news headlines in the run up to the annual State of the Union address, most agenda items are thought to be dead-on-arrival because of Republican congressional opposition.
However, after years of disagreements and dashed expectations regarding cybersecurity legislation, Republicans and Democrats are finally promising to work together on cyber measures to provide additional online protections for Americans.
Meanwhile, recent cyberattacks on Sony, which the FBI insists came from North Korea, have elevated cybersecurity to the top of the political agenda for the nation in 2015.
President Obama’s Cyber Proposals
Last week, the White House posted this press release which announced new cybersecurity legislative proposals and other cybersecurity efforts. Here’s a quick summary of the proposals:
1) Enabling Cybersecurity Information Sharing: The Administration’s updated proposal promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector…. The legislation also encourages the formation of these private-sector led Information Sharing and Analysis Organizations….
2) Modernizing Law Enforcement Authorities to Combat Cyber Crime: Law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime. The Administration’s proposal contains provisions that would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity....
3) National Data Breach Reporting: As announced yesterday, the Administration has also updated its proposal on security breach reporting…. The Administration’s updated proposal helps business and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain these requirements into one federal statute, and puts in place a single clear and timely notice requirement to ensure that companies notify their employees and customers about security breaches.
In addition, The White House has announced a Summit On February 13, 2015, to bring together a diverse group to dig deeper into needed cyber proposals and solution details.
The White House will host a Summit on Cybersecurity and Consumer Protection at Stanford University, to help shape public and private sector efforts to protect American consumers and companies from growing threats to consumers and commercial networks....
Why is 2015 Different?
There is no doubt that the details on these initiatives remain somewhat vague, and the needed support has not materialized in the past. However, I believe this year will be different.
First, cyberattacks are getting worse with a doubling of cyber danger metrics in 2014. The public attention on cyber-related-matters is very high right now.
Second, the politics have changed. Both sides of the political aisle need to get some legislation passed to show America that they can work together on (at least some) important matters. It appears that cyberdefense is an area that both political parties have decided to offer compromises to get a deal.
Third, both sides have announced their intention to get “common sense” cyber legislation passed. For example: “House Speaker John Boehner (R-Ohio) indicated during the meeting that Republicans are ready to work on putting some “common-sense” cybersecurity measures on the president’s desk, according to a statement issued by the congressman's office.”
Fourth, the global threat situation, including recent terrorist attacks in Paris, has worsened. With cybersecurity and physical security threats becoming more synchronized, the margin for error in cyberspace has become much smaller regarding national security issues.
Fifth, international cooperation on cybersecurity is growing. The President wants to make sure that the US has taken needed cyber actions at home on cyber. Here’s what US News said about Prime Minister Cameron’s recent visit to the White House:
Ahead of the visit, Cameron announced that the U.S. and U.K. will stage cyber "war games" together and launch a joint "cyber cell," where officials from the FBI and the National Security Agency will team up with Britain's GCHQ and MI5 intelligence and security agencies to share information on cyberthreats. The first round of war games, scheduled for later this year, will simulate an attack on banks and the financial sectors in London and New York, with more exercises to follow later to test the resilience of national infrastructure.
Tough Questions Remain
While few doubts now remain that more legislative action on cyber is coming in 2015, many tough questions still must be answered. Privacy advocates worry about “Big Brother.”
The New York Times asked: “When should the federal government step in to fight hackers? And is America’s own use of cyberweapons a complicating factor?”
In another article, the details regarding federal breach notification and new student privacy laws were questioned.
On federal breach notification: “The problem is that the effect will likely be to pre-empt the stronger state laws,” said Marc Rotenberg, the president of the Electronic Privacy Information Center, who favors disclosure faster than 30 days. “We want a federal baseline, and leave the states with the freedom to establish stronger standards.”
In addition, there are many questions related to implementation details. How will information be shared between the public and private sectors? Will solutions scale to medium and small businesses that need to be protected? What data can be shared? What incentives will be provided to share information?
These same questions have stifled movement in the past. Still, the cyberattacks against Sony and several major retailers have opened up a new chapter in cybersecurity planning and response. The current status quo is not sustainable.
A few years ago, this article was written in the Harvard National Security Journal on the topic of sharing government security technology called EINSTEIN with the private sector to protect critical infrastructure from cyberattacks. There were many problems discussed then, and many costs and coordination topics that are very complex to deal with today.
Regardless of these past difficulties and remaining questions, most experts agree we have reached a new crossroad in cyberspace with dangerous paths ahead that need urgent attention. There is no doubt that the current cyberdefense approaches are not working sufficiently and legislative action is needed.
Remember that the January 20th State of the Union address will be followed by the February 2nd release of the President’s FY 2016 U.S. Budget. There is no assurance that these proposals will be passed by Congress in the form proposed by the President, in a timely manner or at all. Still, given the prominence of cyber recently, some concrete actions should be anticipated, including executive actions.
But it is also true that this current cyber consensus could still unravel just as other cyber bills have stalled in Washington.
Nevertheless, it now appears that significant progress will be made regarding legislation on information sharing and other cyberdefense issues beginning later this year. The President is ready to take more action on cybersecurity, and bipartisan approaches to cybersecurity legislation appear to be coming in 2015.
So as we head into tomorrow night’s nationally televised speech by President Obama, what is the state of the Union?
Answer: Ready for bipartisan action on cybersecurity legislation.