Top officials from the DOJ, Commerce, DHS and DOD briefed Senate committee staffers this week on the White House’s long awaited cybersecurity legislative proposal unveiled last week.
The Obama Administration announcement is a series of proposed pieces of legislation in a number of different areas, all aimed at encouraging the protection of federal systems and other critical network infrastructure from attack. Here are our initial thoughts:
Now that the administration has released its proposal, Congress can move forward on incorporating those ideas into its own discussions. As an initial issue, it is always cumbersome and dangerous to work with large pieces of legislation of this kind. Big bills lead to tradeoffs on pieces of the law that lead to bad results mixed in with the good. Smaller bills lead to issues being debated on their own merits and leads to fewer of those kinds of tradeoffs.
We will be interested to see the legislation that is developed over the coming weeks and months, but as with all legislation of this type, the devil is always in the details. Even the best of intentions can cause unfortunate results with language this broad. In particular, there is concern that some of this language, if made into law could be inappropriately used for the purposes of dealing with intellectual property issues.
1) Amendments to the Computer Fraud and Abuse Act
The proposal would amend the Computer Fraud and Abuse Act in a number of ways. Primarily, it creates a mandatory minimum sentencing structure for attacks on infrastructure. It also enhances the penalties and clarifies the elements of some of the existing criminal elements. Some other more minor changes include adding CFAA crimes to the Racketeering Influenced and Corrupt Organizations Act, clarifies that conspiracy and attempt offenses are subject to the same penalties, and creates civil forfeiture provisions. The language proposed gives a lot of discretion to law enforcement, which could lead to overly aggressive enforcement and unintended consequences. This scenario needs to be avoided.
2) National Data Breach Notification
A national data breach notification law has been a concept before Congress for a number of years now, and the administration included a specific call for such a law in its proposal. It would require companies to inform people if there was a reasonable basis to conclude that “sensitive personally identifiable data” about the person was lost or compromised. It would give a safe harbor to a company if a risk assessment shows no risk of harm because of the breach. Companies would have to notify within a reasonable time, which the proposal suggests to be less than 60 days. The proposal would preempt all state data breach laws.
3) Cybersecurity Authority at the Department of Homeland Security
The proposal gives the Secretary of DHS the authority to engage in cybersecurity and infrastructure protection activities over federal systems and all “critical information infrastructure.” In the furtherance of this, the Secretary is tasked with creating a cybersecurity center for the federal government, to bring together interested parties, and to engage in information sharing, threat warnings, and other important goals. The Secretary is instructed to be mindful of economic competitiveness and privacy and civil liberties in the course of this process.
This section also provides for the movement of data for the purposes of cybersecurity protection, including to DHS from other governments and from privacy entities, regardless of other data privacy or security laws, and from DHS to the rest of government or to private parties, for the protection of systems. It also provides for the transfer of data to law enforcement where it contains evidence of a crime. DHS is responsible for ensuring that this data is only used for cybersecurity purposes.
4) Privacy and Civil Liberties
The administration’s proposal provides for consultation between government and privacy and civil liberties groups with the aim of developing policies and procedures that would minimize the impact of the cybersecurity operations on privacy and civil liberties. It also instructs DHS to institute a program to monitor and oversee compliance with those policies and procedures. The group would be responsible for reporting to Congress regularly on the results of this work. All of these decisions would have to be approved by the Attorney General.
5) Regulatory Framework for Cybersecurity
Finally, the proposal creates a framework for the development of a regulatory burden upon owners and operators of “covered critical infrastructure” and an enforcement mechanism for the framework. The Secretary would be responsible for designating “covered critical infrastructure,” and for designating risks that must be mitigated against. In coordination with those risks, the Secretary must create standardized frameworks for addressing and mitigating those risks, and the owners and operators of critical infrastructure must develop plans to implement measures to address the pertinent risks. DHS would be responsible for evaluating those plans and enforcing their operation.