- Despite a growing number of data breaches that have gained widespread
attention,[1]
cybersecurity has not yet become a critical issue for Federal legislation.
Description
Voters are not as yet demanding enactment of cybersecurity
legislation. It appears that there is no
urgent pressure to bring cybersecurity bills up for a vote. Voters have heard about cybersecurity and do not like reports
about the breaches. However, there is little understanding what to do about
it. There is little pressure to take
action, because there is no agenda what actions would produce a situation that
is more secure.
The House of Representatives has passed a number of
cybersecurity bills, but these are stalled in the Senate. The key Cyber
intelligence Sharing and Protection Act (CISPA) continues to be stalled, as an
example of the current approach to any Federal involvement.
The purpose of CISPA is to encourage businesses to share
cyberthreat information with the government. This legislation has been contentious because critics have asserted that it
does not offer sufficient privacy and civil liberties safeguards. One of the
key provisions, providing immunity for business that surface cybersecurity
instances, should not be allowed. Instead, the legislation should “…encourage
the private sector in taking reasonable steps to make sure it does not compromise
privacy interests when it is not necessary to do so to protect cybersecurity.”[2]
Accordingly businesses could hide behind claims of seeking protection from
lawsuits that do not involve cyberthreats. Therefore, the proposed legislation
must safeguard that personal information isn't shared with the military,
including the National Security Agency.
Rep. Mike Rogers, the Michigan
Republican and CISPA's chief sponsor, says the bill was never about sharing
personally identifiable information, saying the information being shared are
the 0s and 1s that represent code that could contain malware that threaten
critical IT systems. CISPA, he says, isn't about the written content in a
message. Even though the proposed bill has added four layers of privacy
protection, privacy will be assured by the Department of Homeland Security to
serve as the government's sole contact with industry in sharing cyberthreat
information. Whether such arrangement is practically sufficient to shield data
from the NSA and the military remains then as a controversial issue.
Cybersecurity legislation has concentrated on debates
whether Congress should prescribe how industry presents cyberthreat information
and how it shares data among businesses. Accordingly the government has no role
in telling business how to anonymize personally identifiable information that
must be exchanged. Such details stopped the passage of the Cybersecurity Act of
2012. Proponents of government and business cooperation objected to the
government, working with industry, to establish IT security best practices that
businesses could voluntarily adopt. Even such voluntary cooperation was
objectionable because it could potentially lead to objectionable regulation.
Executive Guidance
The rapid escalation of cyber breaches leaves open the
question whether enterprises should expect legislative assistance in fighting
cyber crime. Based on current circumstances, one must conclude that any such
help would be, at best, a set of token activities that will address mostly
intra-departmental jurisdictional differences. Little, if any direct actionable
support can be expected from the Federal Government, which leaves each
enterprise to do whatever is necessary to protect its operations against
information breaches.
If one views cyber crime as a rapidly expanding global and
toxic “infection”, the analogue of mobilizing the equivalent of a Center for
Disease Control (CDC) in 1946 appears to have many scientific, technical,
political and economic similarities. However, the current toxicity, speed,
global coverage and human-created equivalents of toxins would make the
formation of a Center for Cyber-Crime Control an enormous undertaking the that
current legislative structure is unable to address.
No comments:
Post a Comment
For comments please e-mail paul@strassmann.com