Seeking Compromises on CyberSec Bills

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/seeking-compromises-on-cybersec-bills-p-1804


October is officially cybersecurity month, but don't tell that to the
Washington politicos, who have spent much of January discussing ways to
secure information systems and data.

Earlier in January, President Obama touted a series of cybersecurity
legislative proposals, including sharing cyberthreat information and
nationalizing data breach notification, running up to his State of the
Union address on Jan. 20. This past week, Congress focused its spotlight on
cybersecurity, holding a series of hearings on ways to make cyberspace
safer for government, business and Americans.

Even the Senate Judiciary Committee's confirmation hearing on Loretta Lynch
to be attorney general addressed cybersecurity, when the nominee called for
a tough approach against cybercrime. "We need to up our game in terms of
cyber activity [and] have the resources to keep up with cybercrimes in
terms of detection and even before the apprehension of cybercriminals,"
Lynch testified.

This attention in Congress means that lawmakers are more serious than ever
about enacting cybersecurity legislation. Congress hasn't always acted
swiftly on significant IT security bills. It took a half-dozen years to
reform the law that governs federal government IT security - Federal
Information Security Management Act - when late last year Congress enacted
a bill with a similar moniker: the Federal Information Security
Modernization Act.

Hurdles to Be Cleared

It shouldn't take Congress another six years to pass other critical IT
security legislation, but as revealed at several of this week's hearings,
obstacles remain.

At the Jan. 28 hearing of the Senate Homeland Security and Governmental
Affairs Committee, Chairman Ron Johnson, R-Wis., asked witnesses - mostly
industry experts - what barriers they saw in getting cyberthreat
information sharing legislation enacted.

Gregory Nojein, senior counsel at the advocacy group Center for Democracy
and Technology, responded to the National Security Agency's bulk collection
program. Congress last year tried, and failed, to enact legislation - the
USA Freedom Act - to curtail the NSA program to collect the metadata from
communications.

"You've got to do that before you get to cybersecurity information sharing
because everyone knows that some of this information sharing in the
cybersecurity program is going to end up at the NSA," Nojein said. "Unless
you do something to reform that, I don't think you could do the cyber
[sharing] first."

Privacy Protections

Another impediment to passing cyberthreat information sharing legislation
is providing sufficient privacy protections. Nojein and other privacy
advocates want an information-sharing bill that requires businesses to
strip personally identifiable information from any data before it's shared.
President Obama's proposed information-sharing legislation would require a
reasonable effort by businesses to excise data that could be used to
identify specific individuals before sharing the data.

But Scott Charney, Microsoft corporate vice president for trustworthy
computing, told Johnson that situations exist in which some PII, such as IP
addresses, should be shared. "The way to solve this problem, generally,
about using PII is to make sure that when the government wants to get
personally identifiable information, it uses the transparent, judicial
procedures already in place, with which we're all familiar, and balances
the competing interest between government access to PII and privacy."

Another obstacle: how to provide liability protection for businesses that
share cyberthreat information. Businesses don't want to be penalized for
disclosing cyberthreat sharing information if it would expose practices
that could result in a civil lawsuit or criminal complaint. Marc Gordon,
executive vice president and CIO for American Express, says the Obama
proposal fails to furnish liability protection when businesses share
cyberthreat information with each other if they don't go through a
government-operated hub. Companies, he says, don't like proposals that
would, for example, require audits as a condition of getting liability
protection. Others see them as incentives to ensure companies act in good
faith when sharing cyberthreat information.

Nationalizing Breach Notification

Also, legislation to nationalize data breach notification faces some
similar obstacles (see Barriers to Passing Federal Breach Notification
Bill). Most industry groups favor a single, national law because it would
pre-empt the existing 47 state statutes, making compliance simpler for
businesses, because they would only need to comply with a single law. It's
a point the president made in his national data breach notification bill,
as well as by federal lawmakers who over the years have introduced national
notification legislation. But privacy and civil liberties advocates contend
these national legislative proposals that pre-empt state laws would weaken
protections guaranteed by some state statutes. For instance, CBT's Nojein
points out, California's data breach notification law protects medical
records, something the president's and other lawmakers' plans would void.

It's doubtful that a majority of lawmakers feel as strongly about usurping
state laws - and the protections they furnish - as do the privacy
advocates, but there could be enough legislators to block passage of a
national bill, especially in the Senate, where 60 votes are needed to halt
a filibuster.

Glass Half-Full

Still, having barriers to passage doesn't mean they cannot be surmounted.
With highly publicized breaches these past couple of years, Congress wants
to enact new cybersecurity laws, and lawmakers may be more willing to
compromise than they have in the past. After all, FISMA reform remained
bottled up in Congress for years, in part, because some key lawmakers
didn't want to give the Department of Homeland Security authority over
civilian agencies' implementations of cyber protections. With breaches
mounting, lawmakers agreed on compromise language that reiterated the
Office of Management and Budget's key policy role in government IT security
while codifying DHS's powers to enforce those policies.

Plus, Republicans who control Congress want to prove they can govern, and
cybersecurity is a realm where they're in general agreement with the
Democratic president. "It's a matter of concentrating on the shared goal of
trying to reduce these cyber-attacks," Johnson told reporters following the
hearing, according to the news site The Hill. "So I'm actually encouraged
by it."

Sen. Tom Carper of Delaware, the panel's ranking Democrat who sponsored
FISMA reform last year, said he intends to introduce "sensible"
cyberthreat-sharing legislation, perhaps in conjunction with Johnson.

Look for lawmakers to compromise on the latest cybersecurity-related
legislation. It will take some time, but likely not another six years.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!