The FISMA Focus IPD

From: HSToday.US

By: Mickey McCarter

Over the protests of business interests, Sen. Joseph Lieberman (I-Conn.) worked with his cosponsors and a group of other lawmakers to water down his cybersecurity bill.

The Cybersecurity Act (S. 3414) no longer provides the Department of Homeland Security (DHS) with the authority to set and regulate standards for cybersecurity protection among companies designated as owning critical infrastructure. Instead, an interagency council would enact standards set by an industry group, and those standards would be voluntary.

And business still doesn’t like the bill.

A pair of letters dated Wednesday from the US Chamber of Commerce and the Internet Security Alliance (ISA) lay out the private sector’s objections to the legislation, which received clearance Thursday to move ahead for debate in the Senate.

R. Bruce Josten, executive vice president of government affairs at the US Chamber, pointed out that the bill would still require mandatory measures and third-party auditors while doing too little to protect proprietary information. And furthermore, DHS is still involved, much to the Chamber’s chagrin.

The Cybersecurity Act “has been rushed to the floor without a legislative hearing or markup,” Josten wrote in his letter, echoing concerns raised by Sen. John McCain (R-Ariz.), who also opposes the bill. “The bill was introduced just last week and remains a moving target; new and modified provisions of the bill are expected to be released in the coming days. The Chamber believes that, at a minimum, more time is needed for the Senate to more fully assess this deeply flawed proposal.”

The bill would introduce a government-managed process for setting up cybersecurity standards, which would only serve to saddle participating companies with more government obligations, Josten said. Under the bill, the government would have too much authority to change the cybersecurity standards, making them less “flexible” and more “prescriptive” as companies implement them.

Josten also objected to audits by third parties, who would receive sensitive business information in the course of their work, thereby exposing companies to more risks. Not only would companies be unable to protect some proprietary information from these auditors, they would have to spend considerable time and money complying with their assessments.

Although DHS isn’t calling the shots alone under the new version of the Cybersecurity Act, the US Chamber still finds the department’s involvement unpalatable.

The bill “anchors too much control of information-sharing processes in the hands of the Department of Homeland Security,” Josten wrote. “The department should have a role to play in possible with appropriate government and business entities. However, S. 3414 would eliminate the ability of non-civilian entities such as the Department of Defense and the National Security Agency to receive cybersecurity information directly from the private sector.”

This arrangement essentially produces “silos” that would slow the timeliness of some information and degrade the quality of some. The bill also does not spell out the liability protections from lawsuits businesses would earn by sharing information with the government.

The US Chamber continues to support cybersecurity legislation such as the Cyber Intelligence Sharing and Protection Act (CISPA) (HR 3523), passed by the House in April, and the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology (SECURE IT) Act (S. 3342), Josten said. These bills contain voluntary information-sharing mechanisms that provide companies with actionable threat information and government with information on incidents and vulnerabilities.

Josten called for legislation that would foster truly voluntary participation and remove legal roadblocks to information sharing.

“Rather than the approach taken under S. 3414, the Chamber believes the Senate has an opportunity to take a positive, non-regulatory step forward on cybersecurity by removing legal roadblocks that prevent the private sector and government from sharing cyberthreat information to help protect the nation’s infrastructure,” Josten wrote. “The Chamber believes that the Senate can pass meaningful cybersecurity legislation this session; S. 3414 is not such a bill.”

Potential allies

The ISA, which long endorsed the White House National Strategy to Secure Cyberspace and encouraged sympathetic legislation, also expressed disappointment in the Cybersecurity Act in a letter Wednesday.
ISA President Larry Clinton thanked lawmakers for their work on the bill, saying that it would get some things right.

The bill rejects a burdensome regulatory structure under DHS, which could set forth a process that would result in cybersecurity standards in about a decade under the inefficiencies of government processes, Clinton said. That set-up would be out of touch with the speed of technology.

Clinton also applauded a National Cybersecurity Council, which would work with industry to provide incentives for complying with cybersecurity standards. The bill also would affirm relationships companies have developed with sector-specific agencies under the National Infrastructure Protection Plan, with water utilities communicating with the Environmental Protection Agency about their cybersecurity concerns, for example, Clinton noted.

But despite his praise, Clinton ultimately said the bill is no good.

“The ISA membership consists of cybersecurity experts who understand that while the threat is real and immediate, the issue is also subtle and complex. We believe Congress can and ought to pass meaningful cybersecurity legislation in this session. However, even well-intentioned initiatives, without careful consideration and discussion with the entities that will be affected by the proposals, can easily make our security situation worse. And that, we cannot afford,” Clinton warned in his letter.

The National Cybersecurity Council, while a good idea theoretically, would receive too much authority under the present form of the bill, Clinton protested. Sector coordinating councils, which would provide input to the council, would have little time and no resources to fulfill their responsibilities. And then on top of that, the council could merely amend or add to their prescribed standards.

While private=sector councils can provide input to the standards-setting processes, lawmakers did not ask them or brief them on their role.

“Given the stakes present in the cyberthreat, and the lack of clarity or specificity of this section, it would be wise to seek input from the private sector councils during a legislative hearing process,” Clinton said.
Like the US Chamber, the ISA called for one-on-one information sharing, particularly with military agencies, such as directed under CISPA.

ISA further protested the involvement of the Securities and Exchange Commission (SEC), which would be provided the capability to identify companies with poor cybersecurity standards and publicize them in a manner to “name and shame.” ISA and the US Chamber agreed that such government activities were inappropriate and counterproductive.

Despite the new provisions contained in the Cybersecurity Act, Lieberman said the bill has been “a decade in the making” in introductory remarks on the Senate floor Wednesday.

Thursday, Lieberman touted four individual companies that endorsed the legislation Thursday, contrary to the positions of industry associations in Washington. The companies included Oracle, Cisco, CA Technologies and EMC/RSA — all large information technology firms.

“The provisions regarding the designation of critical cyberinfrastructure, the specifics of cybersecurity practices, and the treatment of the security of the supply chain demonstrate your continued recognition of these core principles, and we support them. Wherever the important cyberdebate takes this legislation, these core principles should be promoted and preserved. We believe these provisions as written capture that principle and believe it is in the interest of cybersecurity and critical infrastructure that they remain explicit. We also commend your commitment to ensuring that the IT industry maintains the ability to drive innovation and security into technologies and the network,” wrote Blair Christie, chief marketing officer of Cisco Systems, and Kenneth Glueck, senior vice president of Oracle Corp., in a joint letter.