WASHINGTON: After months in deep freeze, cybersecurity legislation is showing signs of life again on Capitol Hill. The spark behind this renewed activity is the long awaited executive order on cybersecurity, which President Obama signed Tuesday and was released today at a press conference at the Commerce Department.
The Obama Administration began working on the executive order after a comprehensive cybersecurity bill was defeated in the Senate last year. The order gets federal agencies to redouble their network defense capabilities and to share information about cyber attacks. A draft copy of the executive order obtained by Breaking Defense in November outlines many of the responsibilities that the White House wants government regulatory agencies to either continue to follow or improve, and it puts the Department of Homeland Security firmly in charge of the process.
With the release of the order, Congress now has a framework to begin hammering out legislation. Since the failure of the last cyersecurity bill in November, Capitol Hill had been in a “wait and see” mode until the order’s release. Even with draft copies of the executive order circulating around Washington for months, there was some guessing at to what the final version would say, said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies. Because of this uncertainty, he noted that Congress was right to hold off on any new bills before the executive order is released. “It doesn’t make sense to write legislation until you see what the executive order can do,” he said.
There have already been rumblings of activity. In the House, the Cyber Intelligence Sharing and Protection Act (CISPA), is being reintroduced today as well. The bill, sponsored by House Intelligence Committee leaders Mike Rogers, and Dutch Ruppersberger, had passed the House with broad bipartisan support but it was not picked up by the Senate. Although the bill is popular and meets many of the White House’s cybersecurity goals, the Obama Administration had threatened to veto the bill over concerns that it does not offer enough protections for personal data.
The core of CISPA is a voluntary information sharing system between commercial industry and the government that would alert agencies such as the NSA and DHS of cyber attacks. But the Obama administration and civil liberties groups contended that there are few safeguards in the original bill, making it possible for companies to hand over personal Internet search records over to the government. CISPA is popular with intelligence and industry groups because of its stance on information sharing. It also appeals to business groups because it creates no mandatory standards for industry, Congressional staffers told Breaking Defense.
The reintroduced legislation narrows the definition of information sharing to specific cyber threat data that can be voluntarily shared between the private sector and the government. It also puts strict limitations on how the government can use that information and allows individuals to sue the government in federal court for violations of the law’s privacy restrictions.
CISPA allows the government to share classified cyber threat information with the private sector and allows private firms to anonymously share threat information with each other or with the government on a voluntary basis. The bill also provides liability protection for companies who defend their computer networks or share information.
Any government use of cyber information shared with the private sector will be reviewed by an intelligence community inspector general, who will provide an unclassified report to Congress. CISPA also has a sunset clause requiring Congress to review it after five years to see if the law needs to be renewed or modified.
There is also a new bill on the Senate side, S21, introduced late last month by Thomas R. Caper, the new Homeland Security chairman; Jay Rockerfeller, chairman of the Commerce and Transportation Committee; and Dianne Fienstein, chairwoman of the Senate Intelligence Committee; calls for improved defenses for public and private computer networks, better information sharing between government and industry, and creating a public-private partnership to protect against cyber attacks.
The legislation offers no specifics about how to improve private sector network defenses or if industry security standards should be a part of the equation. It was the subject of standards that stalled and ultimately killed last year’s legislation, with lawmakers disagreeing if the proposed rules should be voluntary or compulsory. The business community, led by the Chamber of Commerce, vehemently opposes any industry cybersecurity standards or regulation.
The new bill is a “message bill”, senate staffers told Breaking Defense. Its language is designed to lay out the priorities for more comprehensive legislation to follow this year. Among its main features are voluntary standards and rules for industry. The bill’s authors also intend to use the executive order as a base to work on. For example, staffers said that the executive order can’t do anything about liability protection for firms participating in a voluntary program because the order can only enhance existing federal agency operating rules. However, any legislation coming along that complements the order would be beneficial, staffers said.
With the executive order released, the path is now open to write more comprehensive legislation. Sen. Tom Carper, the new chair of the Senate’s Homeland Security and Governmental Affairs Committee, plans to get things moving as soon as possible with a series of hearings, explained Emily Spain, the senator’s spokesperson.