Editor’s Note: This article on the public-policy developments in the area of cybersecurity is the first of a series on Internet technology safety and security in the workplace. Future installments will focus on the rise of cybercrime in the private sector and IT security fundamentals for employers.
Comprehensive cybersecurity regulatory reform failed for the second time this year in the U.S. Senate, increasing the prospects that the White House will implement some of the bill’s provisions through an executive order.
The Cybersecurity Act of 2012 failed to get the 60 votes needed under Senate rules to bring the bill up for passage Nov. 14, 2012, most likely dashing any chance that cybersecurity policy would be addressed in the lame-duck session.
“Whatever we do for this bill is not enough for the Chamber of Commerce,” Senate Majority Leader Harry Reid, D-Nev., said on the floor immediately after the failed cloture vote. “Cybersecurity is dead for this Congress,” he added. Republicans blocked the same measure in August 2012, saying it would lead to more government regulation of business.
“Frankly, the underlying bill is not supported by the business community for all the right reasons,” Sen. Saxby Chambliss, R-Ga., said on the Senate floor. “They’re the ones that are going to be called to comply with the mandates and the regulations, and frankly it’s just not going to give them the protection they need against cyberattacks.”
Senate Minority Leader Mitch McConnell, R-Ky., said he is hopeful that lawmakers can return to cybersecurity in January 2013 with a more inclusive debate.
“The majority leader had made prior commitments to allowing a free and open debate on cybersecurity, a matter that Republicans acknowledge must be addressed especially in the areas of information sharing, and providing some degree of liability protection to those companies that do share cyberthreat information with one another and the federal government,” McConnell said on the Senate floor.
A key area of contention has been language calling for voluntary cybersecurity standards for companies that operate infrastructure as varied as power grids and chemical plants to finance, health care and manufacturing facilities. The Chamber of Commerce, which has actively lobbied against the bill, argued that the proposed standards could easily translate into burdensome government regulations and fail to keep pace with evolving threats in cyberspace.
“There is a healthy and robust disagreement about the proper role of government in regulating the business community given the incredibly dynamic nature of cybersecurity risks, that is far from resolved,” said Chamber of Commerce Executive Vice President for Government Affairs R. Bruce Josten, in a letter to the Senate.
“Critical infrastructure owners and operators are concerned that core threats to enterprise cybersecurity—including nation states or their proxies, organized criminals, and other nefarious actors—could go unchallenged because they would be compelled to redirect resources toward meeting government mandates,” Josten said. “Indeed, any cybersecurity program must afford businesses maximum input and flexibility with respect to implementing best cybersecurity practices.”
Supporters of the bill argued the legislation was necessary to protect critical infrastructure from ever increasing cyberattacks. Sen. Barbara Mikulski, D-Md., relayed her fear that Congress wouldn’t act until a “catastrophic event” occurs, which would lead lawmakers to “overreact, overspend and overregulate.”
Some of the provisions of the Cybersecurity Act had broad, bipartisan support, such as the need to reduce barriers that have prevented government and private-sector entities from sharing information about cyberthreats, and the importance of boosting programs that support cybersecurity research and education.
“While the Cybersecurity Act of 2012 may not be everything we need it to be, we cannot continue to move forward without mandates for security,” said Brian Laing, director of U.S. Marketing and Products for security software provider AhnLab.
“There is no shortage of news stories talking about companies that have been exploited, and still others on how attackers have already penetrated various networks,” Laing told SHRM Online. “We are putting ourselves at great risk by not moving forward now with this. This is a situation where not making a decision has a bigger impact than moving forward with the wrong decision,” he said.
“The Senate bill had a very good suggestion in calling for operators of natural-gas pipelines, refineries, water-supply systems, and other vital assets to voluntarily submit their computer networks to security testing by the Department of Homeland Security,” said Phil Lieberman, CEO, Lieberman Software, based in Los Angeles. “In return, those industries would have gotten federal protection from financial liability,” he told SHRM Online. “Before our products are allowed to be used on many sensitive environments, they undergo the same type of testing by these same agencies and others,” he said.
Lieberman said that the costs of government oversight are minimal and the benefits substantial, as agencies “find and fix problems before the bad guys find them.” The legal protections that accrue are a value add, he said.
“We absolutely supported this bill,” said Naeem Zafar, CEO, Bitzer Mobile, a mobile enterprise security company based in Sunnyvale, Calif. “The argument of burden imposed by compliance does not hold too much water,” Zafar told SHRM Online. “Companies invest in guards, badges and alarm systems and don’t flinch. They need to be aware and do the same to their cyber attackers not because it is imposed by the government but because they have a fiduciary responsibility to protect their assets,” he said.
Will the White House Make the Next Move?
While Congress may revisit the bill again, there is a possibility that President Barack Obama will address the issue before then. A draft of an executive order (EO) from the Obama administration has been leaked since September 2012, and directs the National Institute of Standards and Technology to set cybersecurity standards for eighteen critical infrastructure industries.
According to the Department of Homeland Security (DHS) the following critical infrastructure sectors could be included: food and agriculture; banking and finance; chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; government facilities; health care; information technology; national monuments; nuclear reactors, materials, and waste; postal and shipping; transportation systems; water.
The executive order further requires DHS to determine which agencies should regulate which parts of the nation’s critical infrastructure and to establish a voluntary program to promote the adoption of the framework by private industry.
“Exactly what incentives this would entail is completely undefined and left to the Secretary [of DHS],” said Paul Rosenzweig in an issue brief for the Heritage Foundation, which opposes the bill and the executive order. “Importantly, the EO has acknowledged that it cannot provide the one thing that private industry wants most: protection against liability if they suffer a cyberloss.” The Cybersecurity Act proposed extending liability protections to companies that participated in the voluntary program.
The executive order cannot establish such an incentive because liability protection requires statutory authority.
The EO explains that the appropriate agencies responsible for regulating specific industries would propose regulations for the organizations contained in those industries.
“This looks to have more teeth,” Rosenzweig said. Each sector-specific agency would be required to report to the president within 120 days on the extent of its existing regulatory authority to mandate cybersecurity for the industry for which it is responsible. The EO then says that within one year of the order being issued, agencies would be “encouraged” to propose regulations to mitigate cybersecurity risks. “And when the president ‘encourages,’ the agencies will surely respond,” said Rosenzweig.
“Buried at the end of the EO is the single piece of news that is likely to be its most effective part,” said Rosenzweig, referring to the federal acquisition preference that may be granted to vendors that meet cybersecurity standards. “If feasible, this preference would be a huge carrot to incentivize voluntary compliance for anyone doing business with the federal government. Since many large vendors have or strive to have federal business, voluntary compliance would become effectively compulsory,” said Rosenzweig.
The Problems with Standards
Among the many concerns at issue, the divide over whether the government should play a role in drafting and enforcing cybersecurity regulatory standards is the most contentious.
A panel of cybersecurity experts weighed in on the problems of a regulatory approach to cybersecurity at a recent event held at the U.S. Chamber.
The panel of private-sector executives, academics and national security policy experts agreed that regulations are a static solution to a dynamic problem.
There is no way that regulation will be able to keep up with the rapidly changing threat, said former DHS Secretary Tom Ridge. “The hackers will move a lot faster than the bureaucrats since it takes major regulations from two to three years to be written,” Ridge said. In that time, the processing power of computers will continue to get faster. “If you adopt a standard, that’s great for that particular point in time, but dynamic penetration will go around any static standard,” said Dave McCurdy, the president and CEO of the American Gas Association. “The threats are dynamic,” said Donald Paul, executive director of the University of Southern California’s Energy Institute. “The rate of technology changing will bring new threats. It’s like a pandemic. You can’t immunize everyone in the world. You can only contain it and manage the worst cases.”
Another issue is whether or not the federal government can develop effective standards. The government has been hacked or experienced serious cybersecurity failures at least 75 times in the past eight years, according to the Chamber.
Critics also claim that regulations hinder innovation. While waiting for the new standards, investors and innovators may be inclined to cease new work until they see what the standards require. “Standards may have the positive effect of raising the performance of the bottom, but it would pull back the people trying to develop the most sophisticated defenses, and I would say that the most vulnerable situation would be if everyone had the same defense,” Paul said. Once the standards are issued, they will push innovators to create products that meet these new standards, even if a better cybersecurity approach could be developed, he added.
Jody Westby, founder and CEO of the consultancy and legal firm Global Cyber Risk, argued that compliance will hinder companies. Instead, she argued for reframing the discussion to focus on legal reforms and other measures that would enable law enforcement to more effectively capture and prosecute cybercriminals.
“American companies need help with cybercrime and cyber espionage, and they need to better understand how to respond to a catastrophic cyber situation. But they do not need the U.S. government inside their data centers or mandating costly security requirements that may be out of date or ineffective.”
I’m thrilled that the bill didn’t pass, she said. “I think now we have the perfect opportunity for a new conversation with a new Congress.”
Roy Maurer is an online editor/manager for SHRM.
Follow me on Twitter @SHRMRoy.
SHRM Online Safety & Security page
Keep up with the latest Safety & Security HR news.