Cybersecurity Legislation: What's Next?Analysis: FISMA Reform, Cyberthreat Information Sharing
With Congress back in Washington after its summer recess, lawmakers' are focused on Syria, the federal budget and the debt limit. Cybersecurity is in its usual place, taking a backseat to other challenges.
Still, cybersecurity awareness in Congress is at its zenith, thanks to the Edward Snowden and Bradley Manning leaks, highly publicized cyber-attacks and President Obama's issuance last February of an executive order to create a cybersecurity framework to protect the nation's critical infrastructure (see Obama Issues Cybersecurity Executive Order). And if there's not much rhetoric heard about cyberthreats from Capitol Hill, behind the scenes, congressional staffers are tweaking legislation aimed at safeguarding the federal government and the nation.
Pressure will be on Congress - especially the Senate - to act by year's end to avoid politicizing cybersecurity in 2014, an election year. For the most part, cybersecurity is a bipartisan issue. But some philosophical differences have prevented significant cybersecurity legislation from being enacted.
In the last Congress, Republican objections over regulating industry led Democrats to rewrite legislation to make IT security standards voluntary. That legislation died with the end of the 112th Congress. Still, some in the GOP even object to voluntary standards, concerned that they could coerce businesses to adopt them.
Giving the Department of Homeland Security sway in getting federal civilian agencies to comply with IT security standards met resistance in some quarters, helping thwart passage of comprehensive cybersecurity legislation.
Avoiding Past Pitfalls
The big question is: Can Congress avoid past pitfalls and find compromises that lead to the enactment of significant cybersecurity legislation? If not, it won't be for a lack of trying.
There's a slew of cybersecurity-related legislation winding its way through Congress or in the process of being drafted, including reforming the Federal Information Security Management Act, the 11-year-old law that governs federal government IT security; implementing processes to promote the sharing of cyberthreat information between government and industry and encouraging initiatives to develop new IT security technologies and processes and grow the IT security workforce.
The Republican-controlled House, with bipartisan support, earlier this year passed three major cybersecurity bills: the Federal Information Security Amendments Act, a FISMA reform measure that was unanimously approved in April (see FISMA Reform Passes House on 416-0 Vote); the Cyber Intelligence Sharing and Protection Act, a cyberthreat information sharing measure approved by a 288-127 vote (see House Handily Passes CISPA); and the Cybersecurity Enhancement Act, to promote cybersecurity research and development and explore ways to increase the pool of IT security practitioners in the United States.
Despite overwhelming Democratic support for the approved House bills, the Democratic-controlled Senate isn't likely to rubberstamp the lower chamber's measures.
Take FISMA reform, for example. The House bill does not give DHS authority to oversee implementation of IT security processes at civilian government agencies, something that previous Senate legislation has championed and the Obama administration has put into practice through executive actions. Future Senate legislation could likely codify those executive actions, but not go as far as the Cybersecurity Act of 2012, which never came up for a vote last year. In that comprehensive bill, which incorporated FISMA reform and cyberthreat information sharing rules, Senate sponsors advocated the creation of a National Center for Cybersecurity Communications. Don't expect that type of bureaucracy is a new Senate bill.
Priorities change with leadership changes. In the last congress, the Senate Homeland Security and Governmental Affairs Committee was chaired by Joseph Lieberman, the Connecticut Independent who advocated stronger DHS leadership in enforcing cybersecurity standards among federal civilian agencies. He retired last year, and the committee is now headed by Tom Carper, the Delaware Democrat who has been Congress' biggest proponent of FISMA reform.
And the administration's actions have already established DHS oversight of federal civilian agencies' implementation of cybersecurity programs, such as the $6 billion initiative to deploy continuous diagnostic and mitigation technologies and procedures (see Implementing Continuous Monitoring Plan).
Indeed, continuous diagnostics - the new government lingo for continuous monitoring - will be a key component in FISMA reform legislation to replace the now paper-based checklist approach of compliance in which agencies attest to the security of their systems in a triennial recertification process. The logic behind continuous diagnostics that it demonstrates that systems function securely, while the paper process mere attests to steps taken to secure the systems, and not whether they're actually safe.
Codifying Existing Practices
Part of FISMA reform will be to codify practices the administration has implemented, such as continuous monitoring. "If you look back throughout Congressional history, you will see a lot of efforts made by Congress to codify things that were already taking place in the executive branch," says Jacob Olcott, a principal specializing in cybersecurity at Good Harbor Security Risk Management and former counsel to the Senate Commerce, Science and Transportation Committee. "Part of that is to place the imprimatur of Congress on an executive action."
A Senate version of FISMA reform likely would be broader than the House bill, which endorses continuous diagnostics. One provision being considered by the Senate, though not incorporated into proposed any proposed legislation yet, would require agencies to notify Congress of a breach. Current procedures only require notification of individuals whose personally identifiable information has been exposed. The House bill would require breaches to be reported to a federal information security incident center and the agency's inspector general.
Another difference that needs to be resolved between the Senate and House involves cyberthreat information sharing. The House-passed CISPA bill goes too far in providing liability protection to businesses that share cyberthreat information, according to some senators and the White House (see White House Threatens CISPA Veto, Again). An April veto threat issued by the White House says: "Specifically, even if there is no clear intent to do harm, the law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage or otherwise injure or endanger other entities or individuals."
Some senators, backed by the White House, believe the House-passed CISPA bill fails to provide sufficient transparency to protect privacy and civil liberties when information is shared among government agencies, a contention the House sponsors dispute.
In the last Congress, Senate Majority Leader Harry Reid, D-Nev., combined the various pieces of cybersecurity legislation - FISMA reform, cyberthreat sharing and DHS cybersecurity reorganization, among others - into a single bill, the Cybersecurity Act of 2012.
The Senate hasn't decided whether it will take that omnibus approach this year. But a senior Obama administration official who works closely with Congress hints the Senate might take a different tack this year. "We will look at all the different ways we can put pieces of legislation together," the official says. "It may not come out as one giant, sweeping piece of cybersecurity legislation. We would be OK with that."
Senate Commerce Committee Chairman Jay Rockefeller, who shepherd legislation through his committee in July that would codify the cybersecurity framework of voluntary IT security best practices being developed through the auspices of the National Institute of Standards and Technology, sees other committees taking independent action on cybersecurity measures (see Senate Panel Passes Cybersecurity Bill). "I'm confident that others will follow our lead and develop their own bipartisan bills with key elements, including information sharing, that will complement our work to help strengthen and improve our economic and national security," Rockefeller says.
It's never safe to wager on what Congress will do. But the senior Obama administration official seems willing to take on a bet that Congress will enact significant cybersecurity legislation. "I continue to be optimistic that we can, through continued engagement with Congress, figure out a way to get meaningful cybersecurity legislation passed," the official says.