Cybersecurity: A Congressional Priority

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/cybersecurity-congressional-priority-a-7751


The 114th Congress, with solid Republican majorities in both the House and
Senate, convenes this week at a time of growing public awareness of
security breaches, especially the cyber-attack last year on Sony Pictures
Entertainment.

And that means the new Congress is likely to soon take up legislation to
promote the sharing of cyberthreat information between business and the
government in an effort to help foil breaches.

"It isn't becoming a political issue in the sense that it is partisan. It
is, however, becoming political in the sense that the general public is
becoming increasingly concerned with the security of the systems they
depend on," says Paul Rosenzweig, a former Department of Homeland Security
policymaker who serves as a senior adviser to The Chertoff Group, a risk
consultancy. "That concern will drive the debate."

President Obama also is putting pressure on Congress to enact laws to make
cyberspace safer, especially legislation to encourage the sharing of
cyberthreat information. After the cyber-attack on Sony Pictures
Entertainment, Obama used his year-end press conference on Dec. 19 to call
on Congress to pass threat-sharing legislation.

"One of the things in the new year that I hope Congress is prepared to work
with us on is strong cybersecurity laws that allow for information-sharing
across private sector platforms, as well as the public sector, so that we
are incorporating best practices and preventing these attacks from
happening in the first place," he said.

Will Squabbling Continue?

In the past two Congresses, Obama and House lawmakers bickered over the
wording of cyberthreat sharing legislation, with the White House twice
threatening to veto legislation that passed the House of Representatives
with bipartisan support. The Senate, controlled by Democrats until this
week, never took up its version of the legislation.

The White House and Congress differed on how to ensure the protection of
individuals' privacy as well as their civil liberties. In its veto threat,
the administration said the legislation passed by the House last year
failed to require businesses to take reasonable steps to remove irrelevant
personal information when sending cybersecurity data to the government or
private-sector entities. "Given some issues that the privacy community has
raised, we need to take that into account as we ... work on the bill," a
senior administration official said last year in discussing the legislation.

Other differences between the administration and Congress centered on how
cyberthreat information is shared with intelligence agencies. Privacy
groups worry that the National Security Agency and other intelligence
organizations could misuse the data to threaten Americans' privacy and
civil liberties.

The administration also contended that legislation in the last Congress
extended liability protections too broadly. Businesses say they need the
legislation to prevent lawsuits that could result from disclosing how they
protected - or inadequately safeguarded - their digital assets. But the
administration expressed concern that the bills before Congress could allow
businesses to exploit those protections to thwart lawsuits that have
nothing to with cybersecurity.

Compromise in the Air

Can the White House and Congress compromise? Several experts say they
believe both sides are motivated to find a middle ground.

"It takes 60 votes in the Senate to move a bill," Rosenzweig says. "After
Sony, I am skeptical that there are 41 votes to block information sharing
legislation."

Dan Lohrmann, the former Michigan state chief information security officer
who has long kept an eye on Washington cybersecurity developments, expects
members of Congress to act on the issue this year. "They want to be shown
as doing something constructive before something worse happens than the
recent attacks on Sony," he says. "Cyber may offer the better hope [for
compromise] as compared to immigration [reform] or debt reduction."

Lohrmann, now chief strategist and chief security officer at security
awareness training firm Security Mentor, points out that many lawmakers -
including Republican Sen. John McCain of Arizona and Democratic Rep. Jim
Langevin of Rhode Island, co-chairman of the House cybersecurity caucus -
have called on Congress to act quickly on cyberthreat information sharing
legislation.

But to reach a compromise, the White House and Congress must first agree on
a definition of privacy, says Gene Spafford, who as executive director of
Purdue University's Center for Education and Research in Information
Assurance and Security follows cybersecurity legislative developments.

"There is no broad policy on privacy, and there needs to be," Spafford
says. "We need clear lines on privacy protection from companies giving up
too much information, to government agencies collecting too much. Companies
and agencies should be liable for poor practices and for over-sharing or
exposure. The fair information privacy principles are a good start for
defining reasonable limits to what is collected and shared."

Three Factors to Mull

To get a bill enacted, Spafford says, lawmakers need to address the three
factors influencing the conversation around cyberthreat information sharing
legislation: national security, privacy and undue burdening of business
with new requirements. "Depending on who you talk to, the balance of these
three is different," he says. "Without some better understanding of
consequences and compromise, action will not be uniformly accepted."

Larry Clinton, president of the Internet Security Alliance, a trade group
that backed the House legislation, warns against expecting the adoption of
a new cyberthreat information sharing law to have a substantial impact on
data breaches. "Are we overhyping the information sharing legislation and
giving the impression that this bill would solve, or even make a
significant dent, in the cybersecurity problem?" he asks.

Clinton, for instance, says he doubts that a cyberthreat information
sharing law would have helped to prevent the Sony breach. "Most of the
benefit of information sharing would be to help entities [stop] second
attacks that use similar methods," he says. "I haven't heard anyone in the
government come forward and say they had information that would have helped
Sony stop the attack. ... To think we are going to address this problem by
passing one narrow bill, even a good one, is woefully mistaken."

The new Congress also is expected to take up legislation to nationalize
data breach notification. Business leaders say they need one national
statute because of the burden their companies face in complying with 47
different state laws. Many lawmakers and the Obama administration favor a
national law, but the big challenge facing Congress is deciding on key
provisions, such as what constitutes a breach worthy of notification and
when should businesses notify individuals and law enforcement of a breach.
As the multitude of state statutes show, there's no consensus on the
provisions to be incorporated in a data breach notification law.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!