Cybersecurity has been the national security topic du jour
for months. Earlier this year then
CIA Director Leon Pannetta warned
of the potential of a “cyber Pearl Harbor”, while in May the Obama
Administration released its
cybersecurity legislative proposal.
And last week the House GOP’s Cybersecurity Task Force (CTF) released
its recommendations.
The Obama Administration and the CTF largely agree on the
major issues where federal government action is needed to deal with looming
cyber threats. For instance, both
agree on the need for reforms of the Computer Fraud and Abuse Act and the
Federal Information Security Management Act, both propose that Congress address
data breach notification so that requirements for organizations that have been
attacked are the same nationwide, and both propose the creation of voluntary
information sharing about cyber threats between the public and private sectors.
The areas of disagreement between the two proposals are
largely based on (surprise, surprise) the role of the federal government in
overseeing and regulating the cybersecurity practices in the private
sector. For example, while both
the Administration and the CFT see the federal government (most likely DHS)
playing a coordinating role in assisting the development of cybersecurity
standards and practices by owners of private critical infrastructure, the
Administration’s proposal would allow DHS to step in and override private
sector decisions about appropriate risk frameworks where it deems it
necessary.
That said, the areas of agreement between the Administration
and the CFT are broad enough that we are hopeful that Congress will move
quickly on cybersecurity legislation – whether comprehensive or piecemeal. The CFT has said that its
recommendations can be acted upon during this Congress – we encourage the Administration
and the Congress to work together to address cybersecurity issues within that
time frame.
While the devil is in the details, CCIA favors legislation
that will address cybersecurity threats by:
· * Allowing greater cooperation and information
sharing amongst and between the private and public sectors regarding cyber
threats; however, private information must be protected, both from
inappropriate government and private sector use.
* Harmonizing existing data breach laws with
federal legislation so that sensitive personal data is treated identically
regardless of where it is stored – this will allow businesses to standardize
their notification practices nationwide and give customers greater peace of
mind.
* * Promoting cybersecurity standard setting by
cooperation between the public and private sectors and academia. Standards must be technology neutral so
they can evolve over time to deal with new threats and incorporate new
technologies.
· * Promoting international cooperation in creating
cybersecurity standards
· * Updating existing laws, such as the Computer
Fraud and Abuse Act, to appropriately address today’s cyber threats
· * Incentivizing cybersecurity training and
education to develop the next generation of cybersecurity professionals
