How To Tackle Cybersecurity: Politico

On Jan. 29th, 2012, Politico ran an op-ed on cybersecurity legislation written by Senators Kay Bailey Hutchinson, Chuck Grassley, Saxby Chambliss, and Lisa Murkowski.  All of those Senators are Republican.

Many representatives have said that Congress needs to pass cybersecurity legislation quickly.  President Obama recently called for cybersecurity legislation passage in his State of the Union address.  There's at least 4 bills floating around.  The cyberattack on the Chamber of Commerce reportedly gave Congress new impetus for passage.  However, even with all this momentum, politics seems to be slowing the process.  This Politico op-ed highlighted that political battle. 

The op-ed opened with the following line: "there is a right way and a wrong way to address cybersecurity."  The Senators argued that the right way to address cybersecurity involves a looser approach that promotes the flow of information and encourages private sector innovation.  The wrong way?  "New, heavy-handed, costly regulation and further expansion of government bureaucracy."  That "heavy-handed regulation" is a reference to the Senate Democrat's and President Obama's version of cybersecurity legislation.   

Along the same lines, the Senators argued that cybersecurity legislation should not create new regulatory regimes, but rather, should just strengthen already existing regulatory regimes.  In this sense, strengthening existing regulatory regimes would do more to protect critical infrastructure than imbuing DHS with a whole new host of powers. 

When considering that regulatory regime, the Senators believe that "the single most effective way of advancing cybersecurity is sharing cyberthreat information between the government and industry, as well as within the private sector."  However, our current laws discourage threat-sharing, making both government and private entities vulnerable to cyberattack.  Therefore, the biggest goal of cybersecurity legislation should be to facilitate this information sharing arrangement by knocking down legal barriers and encouraging information sharing not only between the private sector and the government, but amongst the private sector itself.  Additionally, the Senators believe that the US government must do two things: protect its own systems, and leverage federal research institutions (like DARPA) to increase US cybersecurity innovation.

Interestingly, the Senators also call for an expansion of the Computer Fraud and Abuse Act (CFAA), the US anti-hacking statute.  This expansion would increase penalties, create new offenses, and clarify illegal conduct.  They see this expansion of the CFAA as part and parcel to effective cybersecurity legislation.

You can find the Politico source op-ed here.

***

I think both camps have advocated for greater threat-information sharing.  Both camps will probably give DHS more cybersecurity power (though the proposals will vary with regard to how much power).  Both camps agree that Congress needs to pass cybersecurity legislation.  It looks like the argument comes down to how to facilitate that threat-information sharing, and just how much power DHS will have.  Is it better to promulgate cybersecurity regulations (which Republicans characterize as heavy-handed), or is it better to incentive the private sector to increase their own cybersecurity and share threat information?

Whatever the case, you're going to see more news on cybersecurity legislation in the coming weeks as Senators bring their proposals to the floor.