Breaking Cybersec Legislation DeadlockBipartisanship May Have Reared Its Pretty Head in New Bill
Owners of critical IT infrastructure might be shamed into providing the necessary security to safeguard their information assets. That's one takeaway of proposed, compromise IT security legislation being circulated by two senators, one a Democrat, the other a Republican.
Enactment of major cybersecurity legislation has been thwarted by the reluctance of Republicans, with a few exceptions, to impose any type of regulation of the private-sector owners of critical infrastructure. Democrats, for the most part, see at least some limited role by government in assuring the safety of critical IT infrastructure.
The problem with doing it on the cheap is that organizations without budgets are seldom successful at driving changes throughout government
Yet bipartisanship may have reared its pretty head again in the form of a draft outline of a bill by Sen. Sheldon Whitehouse, D-R.I., and Jon Kyl, R-Ariz. That draft outline makes it fairly clear that government won't regulate critical infrastructure owners but does propose a process in which infrastructure owners voluntarily work with the Department of Homeland Security to develop and implement practices to safeguard these critical IT systems and audit their security performance.
"You can use naming and shaming as a mild form of incentive, to reward companies that are doing this and shame companies that aren't," says Allan Friedman, research director at the think tank Brookings Institute's Center for Technology Innovation. "Imagine a year or three from now, we'll have stock market investors who care about this sort things, and think about public risk exposure in the cyber domain."
The legislation would direct DHS to collaborate with sector-specific federal agencies, the departments of Commerce and Defense and the private sector to identify what businesses should be deemed critical infrastructure. This DHS-led group also would perform top-level assessments of cyber risks to critical infrastructure sectors, designate covered critical infrastructure on a categorical basis and identify businesses that operate critical infrastructure.
But there's an out for designated critical infrastructure owners who feel they shouldn't face the financial consequences of paying for additional IT security that such a label would result in. They can lobby Congress to have their critical infrastructure designation excised. The draft outline would give Congress veto power over any DHS critical infrastructure designation.
Establishing Voluntary Baseline Performance Goals
The Whitehouse-Kyl plan would have government and business develop voluntary baseline performance goals that critical infrastructure providers can use to self-certify themselves and receive from DHS a cybersecurity protection program certificate that entitles them to liability protection. Liability protection would bar punitive damages, limit non-economic damages and provide a rebuttal presumption of non-liability for the effects of an external cyber attack. To encourage critical infrastructure owners to adopt best practices and become certified, the proposed legislation would give preferences in federal procurement to businesses that receive certification.
The proposed legislation also would direct DHS to create a ranking of critical infrastructure owners based on the best practices they adopt and the certifications they received to secure their IT.
The proposal defines critical infrastructure as systems that, should they fail, would result in interruption of life-sustaining services sufficient to cause mass casualties or mass evacuations, catastrophic economic damage to the nation or severe degradation of national security.
Indeed, companies that operate systems the nation relies on for national security could be certified by DHS and DoD as critical infrastructures and be required to participate in the assessments and audits that would be voluntary to others. That's a key provision, says James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, a Washington think tank. "We all know what will happen in a voluntary regime - none of the companies will do anything. So giving the two departments the authority to go to some key companies and say, 'do it,' is essential."
Step Toward Compromise
Does this proposed legislation stand to be the bill to break the partisan bickering? No one will say so with certainty. "The concepts have, at first glance, some appeal," homeland security consultant Paul Rosenzweig, a former DHS deputy assistant secretary for policy, says in a blog. "Certainly the elimination of a mandate is a step toward compromise."But with a split government, former Interior Department Chief Information Officer Hord Tipton doesn't see this bill reaching President Obama's desk. "It will be perceived by many as being too lenient to address the serious problems against our critical infrastructure posed by cyberattacks," says Tipton, executive director of (ISC)Â², an IT training and certification organization. "This is definitely not ready for prime time."
Still, if enacted, the success of this legislation could be contingent on how much money Congress appropriates to fund the new bureaucracy that would be situated in DHS and headed by a Senate-confirmed leader.
"You can do it on the cheap, but the problem with doing it on the cheap is that organizations without budgets are seldom successful at driving changes throughout government," Brookings' Friedman says. "If this organization can come to other agencies and say, 'We got the funding to do this, and therefore we need your cooperation,' that is going to have a much higher level of success. In terms what it would cost in dollars, I can't speculate with any credibility, but I can say it's going to more than head count. You can judge the effectiveness of this type of program by how much they're willing to spend."