Eugene Spafford, executive director of Purdue University's Center for Education and Research in Information Assurance and Security, sees Congress' committee structure as a deterrent in getting cybersecurity legislation passed. Various committees in both houses claim jurisdiction over different aspects of IT security, and intra-house squabbling can cause a bill to get lost on its way to becoming law.
"Each one of these committees wants to have jurisdiction of some kind over anything that's done in cybersecurity, and this crosses party lines and has been an impediment in previous years," Spafford says in an interview with GovInfoSecurity.com's Eric Chabrow (transcript below).
In the current Congress, however, Spafford sees a greater focus in both houses to try and pull members together. Senate Majority Leader Harry Reid, D-Nev., has asked the chairmen of various committees with IT security oversight to come up with a comprehensive cybersecurity bill. In the House, Republican leaders formed a task force to address cybersecurity legislation (House Creates GOP-Only Cybersec Task Force).
In the interview, Spafford also discusses:
- Breach notification bills before Congress, and presents his views on what requirements they should include.
- New ways to spread IT security awareness through the creation of a cyber equivalent of an agricultural extension agency.
- Effects of the weak economy on funding cybersecurity awareness initiatives.
Spafford has served on the Purdue faculty since 1987. He is also a professor of philosophy, communications and electrical and computer engineering. His research interests focus on information security, computer crime investigation and information ethics. He is recognized as one of the senior leaders in the field of computing.
IT Security LandscapeERIC CHABROW: Just this year, hackers believed backed by a foreign government likely stole 24,000 files related to U.S. military weapons systems. Hackers broke into the IT systems like security provider RSA and entertainment company Sony. So-called hacktivist groups Anonymous and LulzSec claimed hacks of government and business sites. Is the IT security landscape as rocky as it seems? Are government, businesses and individuals in more danger online than ever before?
EUGENE SPAFFORD: It's difficult to say if the danger is greater now, because so many things change so quickly. But it is true that the landscape is, as you say, rocky. Systems are not protected consistently as they should be, and there are a number of elements who are interested in getting into those systems. The environment is not a safe one.
CHABROW: This is especially true, at least the perception is, to consumers. In May, you testified before the House Subcommittee on Commerce, Manufacturing and Trade on the threat of data theft of American citizens. We're speaking in late July, and the House Subcommittee just approved a version of a breach notification bill known as the Safe Data Act that would supersede 47 state breach notification laws. What are your thoughts, generally, about the bill?
SPAFFORD: The bill has a number of elements to it that are sound, in terms of requiring reporting of information and setting some protection standards for information. The testimony I provided was on behalf of USACM, the U.S. public policy council of ACM. We, as a group, have produced a list of 24 privacy principles that we hoped to see addressed more explicitly in the legislation, although they weren't. But there are some things in the legislation that are positive moving forward. It's not clear at the moment whether or not it will get all the way through Congress unscathed. It does allow the FTC some flexibility in setting rules in investigations. Superseding state laws is probably a good thing for businesses, in particular, because they are able to have a single, consistent set of standards to apply for business everywhere in the United States, although it may not allow states to be a little more proactive and move more quickly as threats occur. It's a complex situation, but it is progress forward, although Congress had passed similar bills several times in previous years, and they either died on the floor of the House or never made it into the agenda of the Senate.
Congress & CybersecurityCHABROW: You follow Congress. The atmosphere seems a bit different this year than in at least the past two years or past couple Congresses, although there isn't much to show for cybersecurity legislation in the past several Congresses.
SPAFFORD: The big issue with Congress is how really divided it is - and not by political parties but by committees. The committees have oversight responsibility for certain agencies and areas of the law, and the committees have a certain level of power and seniority based on how much they cover, and they very jealously guard their turf. When bills are introduced, they have to go to the appropriate committee, and if they touch on other areas, very often they are not considered or they're cut up. And this is where we've seen a lot of the fragmentation in cybersecurity, because it touches so many agencies. It touches law enforcement, DHS, defense, intelligence, commerce, privacy issues, law enforcement issues, all kinds of things. Each one of these committees wants to have jurisdiction of some kind over anything that's done in cybersecurity, and this crosses party lines and has been an impediment in previous years. This year, because the problem has gotten worse over the last few years, it has also become more of an administration priority and something that consumers are more concerned with. I think there has been greater focus by the leadership in both of the houses of Congress to try to get the members to pull together. That's why we've seen a little bit more progress, but there are still more than two dozen bills on cybersecurity and privacy that are winding their way through various places in Congress.
CHABROW: What would you like to see come out of Congress? What can Congress really do that will help IT security both in government and in the private sector?
SPAFFORD: At this point, it's a little difficult to say exactly what should be done legislatively. There's a danger that if too much gets enacted in legislative language, it won't be flexible enough to deal with future issues. But here are some of the key points that really should be addressed. First of all, breach notification and setting minimum standards for personal information really is an important issue. I'd like to see that extended to all government agencies, as well as commercial and private entities. We need to have some more priority and funding given to law enforcement to follow up on issues, misuse of information, breaches and very possibly negligence as well. And this is more than simply the investigative aspect of law enforcement but also the prosecution, the follow through. That's important.
A third issue isn't so much a guidance or penalty, but providing a little bit more direction and education on good practices. NIST has done a good job of setting some standards, but they're very technical and detailed and don't translate well for the general public and for small businesses. Having some kind of effort to push cybersecurity education and assistance out, not from a central location out of Washington, but to enable that to spring up around the country, would really be important. The model that I've seen discussed in at least one bill is modeled after the agricultural extension offices that are available in many counties and states around the country. Having a cybersecurity extension service where people could go to get advice on how to protect their systems, how to deal with privacy breaches or break-ins, would be very valuable. I'd like to move it in that direction, but I don't think we will.
Cyber-Equivalent Ag Extension ServiceCHABROW: I'm just curious about that. Would this be an agricultural extension equivalent where it wouldn't necessarily be geographically based but based on how people are using computing?
SPAFFORD: It would probably be a combination of both of those. There are some locations, some areas of the country, for instance, where an actual physical presence isn't going to make sense. But having a local presence where people know that they're talking to someone nearby, in a sense of somebody at the state level or their local level, might make general consumers a little bit more likely to be involved. But it does have a physical component in that if someone's PC desktop computer or laptop has a problem, it would certainly be helpful if they can bring it in to have the problem identified and get some ideas on how to solve it, similar to an AG-extension office now.
If I discover an odd weed or an unusual bug in the garden, I can take it into the extension agency and they will identify it and give me some suggestions on how to control it or whether or not it's a problem. Right now we have so many people who are falling victim to botnets, viruses, identity theft and they don't really know where to turn. The government has some resources, but they're all available in a centralized location. They aren't well-tailored, they aren't always presented so that people can understand them well and people may not even know where to go for them. We need to do a better job there about pushing education and assistance out locally.
CHABROW: Are you concerned at all with the fiscal crisis this nation is facing, that the federal government won't have sufficient funds to do what it should as it relates to IT security, let alone local and state governments that are in more dire straits?
SPAFFORD: The economic situation affects lots of things, and cybersecurity-direct funding is certainly part of that, but it also affects many indirect issues having to do with education, businesses being able to afford to put new protections in place or hire new cybersecurity personnel, all kinds of other issues that definitely have indirect impacts on security and privacy. It's not simply the debt. It's the combination of how much is owed, where the priorities are for either putting new money or cutting money and the disagreements over how to proceed, all are having a negative impact.
I should also add that another issue here is it's not simply a U.S. issue, but there are economic problems worldwide. What we're seeing going on in Europe, for instance, with several countries having significant financial problems are also affecting what they're going to be doing with security. When we talk about IT security, we have international corporations that are holding data that have important functions, and we also have Internet connectivity. That means what goes on in another country, such as over in India or in Greece, really is somewhat Internet-local to what's going on in Boston, Dallas or Los Angeles.
IT Security & Privacy EffortsCHABROW: Do you see anything that gives you hope as it comes to IT security or privacy rights online?
SPAFFORD: The increasing level of awareness we have certainly helps. For a long time, we haven't had enough people concerned to put pressure on government and business to try to improve privacy and try to improve security. That we are seeing increasing concern paid here indicates that there is increasing public awareness and concern over this problem. That's a good sign, so long as what is done is effective. I'm also encouraged that several companies, some startups and some long established, are concerned with privacy and talking about it in their offerings. For instance, some of the privacy-supporting features in Google+ are promising. That's not to say information entrusted to Google in general has the best privacy protections, but they're showing concern for it. That's a good thing.