As the House and the Senate turn their attention to cybersecurity this month, it is not clear what the final outcome will be in the effort to protect the increasingly vulnerable networks and systems that increasingly run our nation.
Whether one supports the committee-driven, multilegislation approach taken by the House or the comprehensive, single-bill approach employed by the Senate, this much is clear — Congress must do something to address cybersecurity, and it must act this year.
As a policy issue, cybersecurity should not be a partisan issue, and it is unfortunate that it has, in part, been made into one during the past year. This is especially the case as innovation and the Internet are touching every aspect of our lives. Our phones, our banking, our shopping, our critical infrastructure systems and our medical systems — just to name a few — all rely on technologies that, if compromised, could be devastating to our economy, our security and even our health.
Some observers and industry officials have suggested recently that legislation is moving too quickly and needs more vetting before going forward. That assertion left many of us who have followed cybersecurity for many years scratching our heads in wonderment. The sections of the proposed Senate bill have been circulating since at least 2009, when Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) introduced the Cybersecurity Act.
Their efforts were soon followed by the introduction of the Protecting Cyberspace as a National Asset Act by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine). We have seen multiple hearings, administration input, numerous drafts and countless meetings between industry representatives and Members and their staff.
Quite simply, there is a difference between the Senate moving a bill that certain sectors may dislike and the Senate moving a bill too quickly. For the sake of our nation’s security, all the stakeholders should be working to address concerns, not slowing down processes in hopes that legislation will go away.
That’s not to say the Senate bill is perfect. Sections of a possible comprehensive bill that have been shared with industry are reform of the Federal Information Security Management Act, governmental authorities and responsibilities, critical infrastructure protection and information sharing, as well as miscellaneous sections addressing research and development efforts, education and training, and workforce development.
Discussions between staff and industry led to a number of changes, including to the critical infrastructure protection and information sharing sections, to close the gap between what government wants and what industry appears willing to tolerate, but the issue remains contentious nevertheless.
Other areas that were discussed as possible issues to address in the bill included data breach/retention and supply chain security, neither of which enjoy widespread bipartisan support.
All of these issues are important to protecting the cyber-ecosystem and assuring our nation’s success. Instead of more hearings, Congress should focus its efforts on trying to find common ground on the disputed issues, recognizing that the catch-up-after-the-fact approach to cybersecurity that we are currently employing is not acceptable.
Those who do not approve of certain sections should come to the table with alternative ideas instead of simply saying “no.”
On the House side, the two bills that have made the most progress are the Cyber Intelligence Sharing and Protection Act introduced by Rep. Mike Rogers (R-Mich.), chairman of the Intelligence Committee, and the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act, introduced by Rep. Dan Lungren (R-Calif.).
Both bills tackle information sharing, though in different ways. The verdict is out on whether the two bills are complements or competitors of one other.
In addition to these two bills there is also Rep. Michael McCaul’s (R-Texas) cyber R&D bill, the Cybersecurity Enhancement Act, which was approved by the Science, Space and Technology Committee last year. The Judiciary and Energy and Commerce committees are expected to hold hearings and possibly draft their own versions of legislation within their jurisdiction.
Some clarity on a timeline on when cybersecurity will hit the floor would go far in better defining how serious the House is about the issue.
Congress may very well choose to punt on cybersecurity, which would be detrimental. Unfortunately, foreign nations, hactivists and criminal organizations are not punting in their attacks on our networks and systems. The time to act on cybersecurity legislation is now.
Jessica Herrera-Flanigan is a partner at the Monument Policy Group and fellow for cybersecurity at the Center for National Policy. She served as staff director/general counsel of the House Homeland Security Committee and as senior counsel in the Computer Crime Section at the Justice Department.