About 2 weeks ago, I was all jazzed up to write my first blog for Infosec Island. I set up my account and knew the topic I was going to write about – cybersecurity legislation.
Before I sat down to put my fingers to the keyboard, I decided to catch up on some reading that I had set aside in my Read It Later app just in case there was some good information for me to use for my blog.
The first one I read was a blog by James Altucher (one of my favorites to read) about procrastination. Needless to say, that may not have been the best thing to read first because what happened next was somehow predicted by that blog.
Life happened and abolished my last 3 weeks – I have hardly even looked at Twitter and email. I have been working on writing this, a little at a time, for the past week. I am still doing better than Congress is though with regards to cybersecurity legislation.
How appropriate it is though that I found myself procrastinating writing this blog seeing how Congress has been doing a brilliant job of just that with cybersecurity legislation. I mean, it all really started to heat up last year when the White House put forth its Cybersecurity Legislative Proposal.
The President called on Congress to act quickly in passing the legislation, for which he had bipartisan support. There was a flurry of activity because several major incidents impacting industry had recently hit the press but that activity went nowhere.
Again, last Fall, the White House resubmitted its proposal and plead with Congress to take the threat to critical infrastructure and government networks seriously by passing much needed legislation. Both sides of the aisle shared their sound bites with the press about how committed they were to passing legislation. Senior leaders in industry encouraged Congress to act, agreeing that legislation of some kind was necessary (two examples below).
- “’The bill already has support from industry,’ IBM's Vice President of Government Relations, Christopher Padilla, said that the Legislation, ‘provides a solid framework and useful legal protections to permit the timely flow of actionable threat information in order for organizations to better protect themselves and customers.’"
- "’No single company can solve this problem on its own,’ [Wes] Bush, [CEO of Northrup Grumman Corp.] said. ‘It requires a level of expertise and investment that really is the reason we have a federal government."
With all this saber rattling behind the cause of cybersecurity legislation, you would have thought the climate was ripe for a quick debate and a legislative win for Congress – they could have actually possibly passed something of value in their tenure.
Not that I am advocating they not take the due diligence to ensure sound legislation is passed, but it is not like this is some new issue that has not already been debated to death in the halls of government buildings and board rooms alike – the debates on the Hill alone started in the 1990s.
No legislation is going to be perfect (it never is) yet is seems that is what Congress is trying to achieve. With every new week that goes by with nothing done, a new proposal seems to bubble to the surface.
Instead of our elected officials actually coming together to iron out their differences over one proposal, they each seem to have to come up with their own that has some little twist that makes it different, yet fundamentally, they are all trying to achieve the same purpose – better cybersecurity for the government and critical infrastructure through information sharing and collaboration.
No one company or agency can do it alone. Everyone seems to acknowledge that, but no one can agree on just exactly how the best way to achieve nirvana is so we go nowhere, or I would almost argue backwards.
Back in February, the leadership of both the House and the Senate were promising quick debate and consideration of White House’s proposed Cybersecurity Act of 2012. However, not 3 days after the proposal hit the streets, Senator McCain announced he was going to come up with his own proposal to oppose the bipartisan sponsored bill.
Around the same time, the PRECISE Act, sponsored by Rep. Dan Lungren (R.-Calif.) unanimously passed a House subcommittee. A major piece of this legislation was for the Department of Homeland Security to develop cybersecurity standards that critical infrastructure must meet.
However, that type of regulatory authority, in some form or another, is in most of the legislation on the Hill and has become a major sticking point. This is one of the key causes for all this procrastination and new “better” bills popping up, all looking to find that solution to the problem.
To date, none of them have been successful. Even the PRECISE Act made some major changes last week in an attempt to make it more palatable to the majority of Congress, hence the emphasis on “was” regarding the major piece of the bill. It is this sticking point that has once again divided the aisle and invoked the typical party politics that has stopped everything else, to include the critical budget, from getting anywhere.
Then in comes the Cyber Intelligence Sharing and Protection Act (CISPA). This is not a new bill as it was first introduced back in November of 2011. However, over the last several months, there was not much heard about it. This week though, it was the front and center as it hit the floor of the House for debate.
The White House announced mid-week that if it passed, the President would veto the bill. The White House reaffirmed its commitment to public-private information sharing for better cybersecurity for both the government and critical infrastructure with an emphasis on protecting privacy and civil liberty rights. The administration feels CISPA does not provide the proper authorities to ensure critical infrastructure is protected while individual rights are not compromised.
Advocates for the bill, to include Facebook, Microsoft, and the U.S. Chamber of Commerce and IT industry trade groups because they feel it simplifies the sharing process, allowing for faster sharing within industry and with the government without giving the government more authorities. Now we will have to see what the Senate will do.
Even with all this activity, Congress has yet to pass anything that encourages information sharing and collaboration between the public and private sector but that has not stopped the private sector from moving forward on their own. They will continue to find ways to share with one another because as each new attack occurs, companies realize they cannot do this in a vacuum and that one company’s victimization is another company’s attack prevention.
The Department of Homeland Security is committed to working with critical infrastructure to help defend our nation’s most critical assets. The debates will continue about regulation and authorities and privacy rights but in the end, we all need to come together and find the best way to share threat data so that we can protect our networks.
Hopefully, Congress will find some sort of compromise that best weighs industry's concerns, individual privacy rights, and the need to share critical threat data as quickly as possible. I just hope that the procrastination to pass legislation does not continue on indefinitely.