Congress, the bastion of gridlock and acrimony that shut down the FAA; hasn’t passed a budget since the middle of the Bush Administration; and almost caused a default on the debt looks increasingly poised to consider legislation to dramatically overhaul and systematize how the United States responds to a cyber attack. With lasting reprucussions on private and public sector operations.
Both the House and Senate are working on bi-partisan legislative vehicles which are poised to see significant floor time in the next few weeks. The bi-cameral consideration could even be followed by a substance based conference committee and enactment by the President before Election Day. For the School House Rocks fans (www.schoolhouserock.tv/Bill.html), a major piece of legislation moving through the regular order just as Saturday morning infomercials told you about, would be a major accomplishment in present day Washington.
So what are the bills? Where do they stand? And what’s in them?
The threat of cyberattack on critical infrastructure, corporations, universities, financial institutions, and government entities has been around since before the Matthew Broderick and Ally Sheedy tried to prevent Global Thermal Nuclear War in the 1983 classic "War Games", but has only grown as the world has become increasingly reliant on the internet and computer systems. This year’s assessment on national security threats by the Director of National Intelligence placed cybersecurity on par with counterterrorism (al Qeda) and counter-proliferation (Iran) as immediate areas of focus. In May of last year, the President submitted to Congress a ten point legislative plan to strengthen critical infrastructure against cyberattack. Before Congress adjourned for the year, Senate Majority Leader Harry Reid informed his Republican counterpart Sen. Mitch McConnell, that comprehenseive cybersecurity legislation would be a priority for 2012. Finally, in the waning days of the first session of the Congress the House Intelligence Committee passed out H.R. 3523, the Cyber Intelligence Sharing and Protection Act, by a bi-partisan 17-1 majority.
The House Bills
Two pieces of legislation are vying for predominance in the House- one with Select Intelligence Committee jurisdiction (the above mentioned H.R. 3523) and one from the Homeland Security Committee (H.R. 3674, the PRECISE Act).
The main differences between the bills provide a small window on the approaches being considered by the Congress. The largest difference, and one that might not manifest itself until the extensive Executive Branch rulemaking, is who will be in charge of implementation. H.R.. 3523 would hand much of the responsibility to the Director of National Intelligence and the Pentagon, while the PRECISE Act would give the lead to the Secretary of Homeland Security.
A second point of departure for both bills is how presciptive they are on public-private and private-private information sharing. The PRECISE Act creates a non-profit private sector clearinghouse to manage the private sector pieces of cyberthreat information sharing and would create more detailed privacy protections. Meanwhile H.R. 3523 authorizes the information sharing but does not create a new organization to help bring it about..
Another major difference between the two lies in exactly what type of information is to be shared. This is of great concern to civil libertarians and others. The Intelligence Committee’s bill authorizes the sharing of information concerning "efforts to degrade, disrupt, or destroy" while the PRECISE Act offers a limitation of only information "to describe a method of defeating technical controls on a system of network".
As of this writing, it is much tougher to categorize the contents of the Senate bill (or even if there will be just one bill, rumors are swirling that some Republican senators might offer competing legislation) mostly because a final bill has yet to be introduced. Senator Reid has stated, and re-stated, his goal to have a final draft bill ready to go and head to the floor in a matter of weeks. Retiring Senator Joseph Leiberman, who would be charged with guiding the legislation through the chamber, has said cybersecurity will be the capstone on his career. So momentum for getting something passed is present and the right players are committed to its success.
All indications are that the Senate bill will keep jurisdiction within the Secretary of Homeland Security; and that there will be a process of establishing "high-priority" sectors and to conduct what would essentially be risk based audits of those sectors and the likely impact to the nation if compromised. There would be established guidelines and practices for owners of critical infrastructure to comply with in order to secure their networks and to implement "performance requirements" for response. Ideas have been floated concerning third party audits and mandated reporting requirements and some in the business community fear that the emerging bill might be much more perscriptive than their comfort level.
For now, most of this is speculation. A bill hasn’t been introduced, but its introduction is imminent and its consideration will soon follow. What seems assured, is that this year will be the first to have a serious Congressional effort to address what in universally considered to be a very real threat to the security of the United States.