Administration Releases Cybersecurity Legislative Recommendations

BY CCIA Staff
May 19, 2011

Top officials from the DOJ, Commerce, DHS and DOD briefed Senate committee staffers this week on the White House’s long awaited cybersecurity legislative proposal unveiled last week.

The Obama Administration announcement is a series of proposed pieces of legislation in a number of different areas, all aimed at encouraging the protection of federal systems and other critical network infrastructure from attack.  Here are our initial thoughts:

Now that the administration has released its proposal, Congress can move forward on incorporating those ideas into its own discussions. As an initial issue, it is always cumbersome and dangerous to work with large pieces of legislation of this kind. Big bills lead to tradeoffs on pieces of the law that lead to bad results mixed in with the good. Smaller bills lead to issues being debated on their own merits and leads to fewer of those kinds of tradeoffs.

We will be interested to see the legislation that is developed over the coming weeks and months, but as with all legislation of this type, the devil is always in the details. Even the best of intentions can cause unfortunate results with language this broad. In particular, there is concern that some of this language, if made into law could be inappropriately used for the purposes of dealing with intellectual property issues.

1)    Amendments to the Computer Fraud and Abuse Act

The proposal would amend the Computer Fraud and Abuse Act in a number of ways. Primarily, it creates a mandatory minimum sentencing structure for attacks on infrastructure. It also enhances the penalties and clarifies the elements of some of the existing criminal elements. Some other more minor changes include adding CFAA crimes to the Racketeering Influenced and Corrupt Organizations Act, clarifies that conspiracy and attempt offenses are subject to the same penalties, and creates civil forfeiture provisions. The language proposed gives a lot of discretion to law enforcement, which could lead to overly aggressive enforcement and unintended consequences. This scenario needs to be avoided.

2)    National Data Breach Notification

A national data breach notification law has been a concept before Congress for a number of years now, and the administration included a specific call for such a law in its proposal. It would require companies to inform people if there was a reasonable basis to conclude that “sensitive personally identifiable data” about the person was lost or compromised. It would give a safe harbor to a company if a risk assessment shows no risk of harm because of the breach. Companies would have to notify within a reasonable time, which the proposal suggests to be less than 60 days. The proposal would preempt all state data breach laws.

3)    Cybersecurity Authority at the Department of Homeland Security

The proposal gives the Secretary of DHS the authority to engage in cybersecurity and infrastructure protection activities over federal systems and all “critical information infrastructure.” In the furtherance of this, the Secretary is tasked with creating a cybersecurity center for the federal government, to bring together interested parties, and to engage in information sharing, threat warnings, and other important goals. The Secretary is instructed to be mindful of economic competitiveness and privacy and civil liberties in the course of this process.

This section also provides for the movement of data for the purposes of cybersecurity protection, including to DHS from other governments and from privacy entities, regardless of other data privacy or security laws, and from DHS to the rest of government or to private parties, for the protection of systems. It also provides for the transfer of data to law enforcement where it contains evidence of a crime. DHS is responsible for ensuring that this data is only used for cybersecurity purposes.

4)    Privacy and Civil Liberties

The administration’s proposal provides for consultation between government and privacy and civil liberties groups with the aim of developing policies and procedures that would minimize the impact of the cybersecurity operations on privacy and civil liberties. It also instructs DHS to institute a program to monitor and oversee compliance with those policies and procedures. The group would be responsible for reporting to Congress regularly on the results of this work. All of these decisions would have to be approved by the Attorney General.

5)    Regulatory Framework for Cybersecurity

Finally, the proposal creates a framework for the development of a regulatory burden upon owners and operators of “covered critical infrastructure” and an enforcement mechanism for the framework. The Secretary would be responsible for designating “covered critical infrastructure,” and for designating risks that must be mitigated against. In coordination with those risks, the Secretary must create standardized frameworks for addressing and mitigating those risks, and the owners and operators of critical infrastructure must develop plans to implement measures to address the pertinent risks. DHS would be responsible for evaluating those plans and enforcing their operation.

Related Articles

CCIA Whitepaper Identifies National Security Risks Posed By House Bills Targeting U.S. Tech Companies

Sep 13, 2021

Washington — The Computer & Communications Industry Association has released a white paper on the national security implications of several House-passed bills aimed at a handful of U.S. tech companies as they compete with foreign companies. These bills were introduced in June 2021 and were marked up without legislative hearings or input from stakeholders, particularly…

Tech Associations Offer Digital Trade Priorities for Biden-Harris Administration

Jan 22, 2021

Washington — The Computer & Communications Industry Association joined 4 other associations in a statement to the incoming Biden Administration on digital trade. This is critical at a time when some longtime trading partners are enacting new barriers to cross-border delivery of digital services and goods. Industry encourages the Biden-Harris Administration to make open, rules-based…

New EU Cybersecurity Rules Should Promote Security Mitigation, Avoid Compliance Red Tape

Dec 16, 2020

Brussels, BELGIUM — The European Commission published today a legislative proposal to update the 2016 Network and Information Security Directive.  The proposal aims to reduce regulatory inconsistencies across the EU’s internal market and it encourages security information sharing to help companies effectively address future cybersecurity risks. But the proposal also suggests that cloud computing providers,…