House GOP Unveils Cybersecurity Agenda
Republican Proposals Win Praise from Key Democrats"The 20-page Recommendations of the House Republican Cybersecurity Task Force generally seeks to limit new regulations and provide for voluntary incentives to get businesses to secure their information systems and assets.
Task force Chairman Mac Thornberry, R-Texas, in a briefing unveiling the report, said the White House proposals are "more regulatory than we believe is wise." Still, unlike most issues that divide Republicans and Democrats, compromise will be sought. "There's a lot of room to work together within Congress and with the White House," Thornberry said. "It's essential that we do so because of the economic aspects and national security aspects [of IT]."
Democratic lawmakers praised the GOP report. Sen. Joseph Lieberman, the Independent Democrat who chairs the Senate Homeland Security and Governmental Affairs Committees, called the Republican proposals "an important and positive step forward toward passing badly needed, comprehensive cybersecurity legislation." Encouraged by the task force findings, Sen. Tom Carper, D-Del., who chairs a subcommittee with cybersecurity oversight, called on both houses to "redouble our efforts to pass this much needed cybersecurity legislation as soon as possible." And, House Cybersecurity Caucus Chairman James Langevin, D-R.I., noted the Republican plan included many initiatives he had proposed.
Data Breach Notification
Areas of agreement include reforming the Federal Information Security Management Act, the main law that regulates government IT security; enhancing the cyber needs of law enforcement; hiring new IT security personnel; and the need to address data breach notification.
The GOP report did not unequivocally call for a single national law to supplant data breach notification statutes in nearly every state. Yet, the report did note that businesses have a hard time complying with multiple state data breach laws: "Congress should address data breach notification legislation that simplifies compliance for businesses and protects the sensitive personally identifiable information of individuals," the task force report says.
James Lewis, director and senior fellow for the technology and public policy program at the Center for Strategic and International Studies, a Washington think tank, was encouraged by the similarities between the GOP and Democratic approach to cybersecurity legislation. "Both sides of the aisle realize this is a national security problem and they have both come up with similar or complementary solutions." Lewis said. "Now the hard part will be to align them. The report did exactly what we need to start. It gives everybody involved a solid basis to work from."
The task force fell silent on whether Congress should establish an Office of Cyberspace, headed by a Senate-confirmed director, a so-called cyberczar, a position that's in legislation before the Senate. "Everybody here has different opinions on that," Thornberry said, referring to the task force members who couldn't reach a consensus on that matter.
The Republican task force report expresses skepticism of pursuing a comprehensive cybersecurity bill - an approach being considered in the Democratic-controlled Senate - and won't fund any new cybersecurity initiative unless the added costs are offset elsewhere in the federal budget.
The Republican report also calls for the adoption of voluntary incentives to encourage private companies to improve cybersecurity. "Incentives should be largely voluntary, recognizing that most critical infrastructures are privately owned," the report says.
Employ Existing Laws, Rules
It also proposes relying on existing laws and regulations to spur cybersecurity. For instance, rather than requiring new regulations, the government should rely on existing laws, when appropriate, that provide for IT security and privacy, such as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bililey. "Any additional regulation should consider the burden on the private sector by requiring agencies to conduct a thorough cost/benefit analysis," the report says.
To encourage better IT security practices, Republicans say the government should adapt existing tax credit and grant programs to include cybersecurity. Congress also should study whether the insurance industry can help play a role in increasing the level of cybersecurity of firms that purchase cyber or data breach insurance and whether the cybersecurity insurance market is structured in a manner to accomplish that goal.
The GOP plan recognizes that the sharing of intelligence information among the government and business would help alleviate cyberthreats and encourage Congress to facilitate a non-government organization to act as a clearing house to disseminate real-time information. "There is substantial and understandable concern with the government monitoring private networks," the report says.
House Republicans say legislation might need to be enacted to exempt such information sharing from anti-trust laws. Also, the task force report says, information sharing within existing structures can be improved through limited safe harbors, when businesses voluntarily disclose threat, vulnerability or incident information to the federal government or ask for advice or assistance to help increase protections on their own systems.
On FISMA, the task force recommends the law be reformed to focus on secure, continuous, automated monitoring of IT systems rather than the current checklist exercise, which is ineffective, similar to legislation offered in the Senate. The GOP plan also recommends that changes in technology, such as cloud or distributed computing, should be contemplated in reform legislation. "This effort of bringing FISMA up to technological date will require multiple committees to work together on appropriate language," the report says.