Sunday, September 14, 2014

Delays in Cyber Legislation

  • Despite a growing number of data breaches that have gained widespread attention,[1] cybersecurity has not yet become a critical issue for Federal legislation.

Description

Voters are not as yet demanding enactment of cybersecurity legislation.  It appears that there is no urgent pressure to bring cybersecurity bills up for a vote. Voters have heard about cybersecurity and do not like reports about the breaches. However, there is little understanding what to do about it.  There is little pressure to take action, because there is no agenda what actions would produce a situation that is more secure.

The House of Representatives has passed a number of cybersecurity bills, but these are stalled in the Senate. The key Cyber intelligence Sharing and Protection Act (CISPA) continues to be stalled, as an example of the current approach to any Federal involvement.

The purpose of CISPA is to encourage businesses to share cyberthreat information with the government. This legislation has been contentious because critics have asserted that it does not offer sufficient privacy and civil liberties safeguards. One of the key provisions, providing immunity for business that surface cybersecurity instances, should not be allowed. Instead, the legislation should “…encourage the private sector in taking reasonable steps to make sure it does not compromise privacy interests when it is not necessary to do so to protect cybersecurity.”[2] Accordingly businesses could hide behind claims of seeking protection from lawsuits that do not involve cyberthreats. Therefore, the proposed legislation must safeguard that personal information isn't shared with the military, including the National Security Agency. 

Rep. Mike Rogers, the Michigan Republican and CISPA's chief sponsor, says the bill was never about sharing personally identifiable information, saying the information being shared are the 0s and 1s that represent code that could contain malware that threaten critical IT systems. CISPA, he says, isn't about the written content in a message. Even though the proposed bill has added four layers of privacy protection, privacy will be assured by the Department of Homeland Security to serve as the government's sole contact with industry in sharing cyberthreat information. Whether such arrangement is practically sufficient to shield data from the NSA and the military remains then as a controversial issue.

Cybersecurity legislation has concentrated on debates whether Congress should prescribe how industry presents cyberthreat information and how it shares data among businesses. Accordingly the government has no role in telling business how to anonymize personally identifiable information that must be exchanged. Such details stopped the passage of the Cybersecurity Act of 2012. Proponents of government and business cooperation objected to the government, working with industry, to establish IT security best practices that businesses could voluntarily adopt. Even such voluntary cooperation was objectionable because it could potentially lead to objectionable regulation.

Executive Guidance

The rapid escalation of cyber breaches leaves open the question whether enterprises should expect legislative assistance in fighting cyber crime. Based on current circumstances, one must conclude that any such help would be, at best, a set of token activities that will address mostly intra-departmental jurisdictional differences. Little, if any direct actionable support can be expected from the Federal Government, which leaves each enterprise to do whatever is necessary to protect its operations against information breaches.

If one views cyber crime as a rapidly expanding global and toxic “infection”, the analogue of mobilizing the equivalent of a Center for Disease Control (CDC) in 1946 appears to have many scientific, technical, political and economic similarities. However, the current toxicity, speed, global coverage and human-created equivalents of toxins would make the formation of a Center for Cyber-Crime Control an enormous undertaking the that current legislative structure is unable to address.







[1] http://www.databreachtoday.com/breaches-c-318
[2] http://www.govinfosecurity.com/blogs/perceiving-cyberthreat-info-sharing-bill-p-1452

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com