Enough With the Distractions … It’s Time for Consensus-Oriented Cybersecurity Legislation
(Updated 7-31-12 at 7:30 AM)
In a July 27 letter to the U.S. Chamber of Commerce, Sens. Lieberman, Collins, Rockefeller, and Feinstein criticized the business community’s opposition to S. 3414, the Cybersecurity Act of 2012, a so-called voluntary standards program that would regulate 18 sectors of the already struggling American economy. The senators take the Chamber’s July 25 letter to task on two issues.
1. The bill’s sponsors criticize the Chamber on its position regarding standards and incentives. The senators’ letter says they are “baffled that the Chamber opposes our voluntary, incentives-based approach to protecting our nation’s critical infrastructure. A voluntary framework ... is the very same framework your organization has championed” in a March 8, 2011, multi-industry paper.
The Chamber supports policies that help companies deflect or defeat advanced and sophisticated threats (e.g., nation states, criminal gangs). However, S. 3414 uses such policies as a springboard to regulation, not as genuine public-private collaboration, which is the essential point of the 2011 paper. The Chamber believes that once a government-driven “voluntary” standards system is enacted, it’s only a short hop to a mandatory one because the administration has the intent and regulatory leverage.
A regulatory regime (at least theoretically) is absent from the latest bill but not the intent, and this is a major sticking point. Bill sponsors clearly warn that if industries fail to adopt standards voluntarily, then a future Congress would likely compel them to do so. Further, the White House’s cybersecurity coordinator said in an interview that the idea of mandatory standards was “legislatively almost impossible” right now, but “that’s the ultimate goal.”
In short, over the past three years, the Chamber has been rightly skeptical of a bill that would regulate 18 sectors of the American economy. We believe that the “voluntary” performance requirements envisioned in S. 3414 would quickly morph into a de facto government regulatory scheme that negatively impacts privately owned critical infrastructure.
2. The bill’s sponsors criticize the Chamber’s interpretation of how information would be shared with noncivilian agencies under Title VII of S. 3414. The Chamber doesn’t believe that it misinterpreted the bill, and we’re not alone in our view of the bill. The Chamber’s letter states that under the framework senators envision, S. 3414 would eliminate the ability of noncivilian entities, such as the Department of Defense and the National Security Agency, to receive cybersecurity information directly from the private sector.
Interestingly, Sen. Al Franken apparently read the bill the same way as the Chamber. In discussing S. 3414 on the Senate floor last week, he said, “So I think we negotiated a good series of agreements on this which … will ensure that companies who share cybersecurity information with the government give it directly to civilian agencies and not to military agencies [underlining added]. That was a concern people had.” (See July 26, 2012, Congressional Record, S5429.) Perhaps Sen. Franken should have been copied on the senators’ letter.
The trouble with S. 3414 is that its authors propose a hub-and-spoke model for information sharing, likely favoring the Department of Homeland Security, which would potentially exclude noncivilian federal entities, such as Cyber Command. Sections 703(a)(1) and 707(a)(4) make the bill’s intent unclear or inconsistent. It’s reasonable to ask: So which provision wins the day? The Chamber’s argument was that S. 3414 could create information-sharing silos that diminish the timeliness and quality of threat data exchanged between businesses and government and vice versa.
It is easy to lose sight of the big picture. The main problem with Title VII of S. 3414 is that it’s privacy legislation that also tries to facilitate information sharing. However, the Chamber supports two measures that compete with S. 3414 and would enhance U.S. cybersecurity: S. 3342, SECURE IT, and H.R. 3523, CISPA. SECURE IT and CISPA start from the premise that sharing cyber threat information between the government and the private sector is smart public policy and ought to be the overriding aim. S. 3342 and H.R. 3523 have made appropriate adjustments since introduction to account for the concerns of privacy advocates.
The criticisms of our positions are little more than a distraction from central issues not addressed by S. 3414. First, public policy should help businesses battle sophisticated cyber threats. One immediate way to do this is through passing information-sharing legislation, such as SECURE IT and CISPA, which clearly incentivizes businesses to disclose cyber threat information that would benefit their peers and the government. Second, if Congress wants to encourage businesses to enhance their cybersecurity for the public good, which is a worthy goal, then it should offer businesses some legitimate carrots—and not use incentives as a thinly veiled way to regulate the business community.