As the House and the Senate turn their attention to cybersecurity this month, it is not clear what the final outcome will be in the effort to protect the increasingly vulnerable networks and systems that increasingly run our nation.
Whether one supports the committee-driven, multilegislation approach taken by the House or the comprehensive, single-bill approach employed by the Senate, this much is clear — Congress must do something to address cybersecurity, and it must act this year.
As a policy issue, cybersecurity should not be a partisan issue, and it is unfortunate that it has, in part, been made into one during the past year. This is especially the case as innovation and the Internet are touching every aspect of our lives. Our phones, our banking, our shopping, our critical infrastructure systems and our medical systems — just to name a few — all rely on technologies that, if compromised, could be devastating to our economy, our security and even our health.
Some observers and industry officials have suggested recently that legislation is moving too quickly and needs more vetting before going forward. That assertion left many of us who have followed cybersecurity for many years scratching our heads in wonderment. The sections of the proposed Senate bill have been circulating since at least 2009, when Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) introduced the Cybersecurity Act.
Their efforts were soon followed by the introduction of the Protecting Cyberspace as a National Asset Act by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine). We have seen multiple hearings, administration input, numerous drafts and countless meetings between industry representatives and Members and their staff.
Quite simply, there is a difference between the Senate moving a bill that certain sectors may dislike and the Senate moving a bill too quickly. For the sake of our nation’s security, all the stakeholders should be working to address concerns, not slowing down processes in hopes that legislation will go away.
That’s not to say the Senate bill is perfect. Sections of a possible comprehensive bill that have been shared with industry are reform of the Federal Information Security Management Act, governmental authorities and responsibilities, critical infrastructure protection and information sharing, as well as miscellaneous sections addressing research and development efforts, education and training, and workforce development.
Discussions between staff and industry led to a number of changes, including to the critical infrastructure protection and information sharing sections, to close the gap between what government wants and what industry appears willing to tolerate, but the issue remains contentious nevertheless.
Other areas that were discussed as possible issues to address in the bill included data breach/retention and supply chain security, neither of which enjoy widespread bipartisan support.
All of these issues are important to protecting the cyber-ecosystem and assuring our nation’s success. Instead of more hearings, Congress should focus its efforts on trying to find common ground on the disputed issues, recognizing that the catch-up-after-the-fact approach to cybersecurity that we are currently employing is not acceptable.
Those who do not approve of certain sections should come to the table with alternative ideas instead of simply saying “no.”