Tweet Cybersecurity

Closing the Deal on Cybersecurity Legislation

Bank SafeWell, that headline might be premature. Unless something dramatic happens in the lame duck session after today’s midterm elections — which appears unlikely — we will not have a cybersecurity bill this year. And that might not be such a bad thing, because while lawmakers have made some good headway on cybersecurity issues in the 111th Congress, challenging questions remain.

With Cybersecurity Awareness Month now behind us, it seems an appropriate time to pause and review the bidding that has brought us to this point.

Two major cybersecurity bills have made it through committee in the Senate and a considerable amount of work has been done to reconcile them into a package that could yet provide the framework for a final deal. (The current iteration of the text has not been published, so I can’t offer a detailed critique of it.) The two bills — one authored by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) and the other by Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.) — include a series of provisions that would do a great deal to bolster cybersecurity. Those include:

  • Reforming the Federal Information Security Management Act (a.k.a., “FISMA”) to ensure federal agencies secure their IT systems.
  • Investing in research, development and skills, because public R&D is critical to complement private efforts — and because federal agencies need a capable cybersecurity workforce.
  • Developing a national cybersecurity strategy and raising public awareness to mobilize both government (think war planning) and society at large (think victory gardens).

But chief among the remaining challenges, from the software industry’s perspective, is the issue of how to ensure that companies have the flexibility to develop new cybersecurity solutions as quickly as threats emerge. As I alluded in my last post, we have to be able to learn and adapt to a rapidly changing threat landscape, so Congress should avoid imposing overly prescriptive technology mandates.

In practice, that means measures to ensure that federal agencies procure secure technology products and services should be based on international, industry-led standards and best practices, rather than government-specific ones. This approach would preserve US access to commercial off the shelf (COTS) technologies, which are developed for a global base of government and commercial users. That in turn lowers acquisition costs while increasing choice and interoperability. More importantly, it allows the government to leverage the considerable R&D investments of the global COTS technology industry, which will continue to spur more innovative and more secure technology.

There are other outstanding issues, too, such as how owners of critical IT and communications infrastructure would be obliged to comply with a new cybersecurity regime. The progress that Congress has made is encouraging, but with such important issues still unresolved it would probably be unwise to rush a legislative package through a lame duck session. Let’s just hope we’re not still talking about this the next time Cybersecurity Awareness Month rolls around.

Robert Holleyman


As President and CEO of BSA | The Software Alliance from 1990 until April 2013, Robert Holleyman long served as the chief advocate for the global software industry. Before leaving BSA to start his own venture, Cloud4Growth, Holleyman led the most successful anti-piracy program in the history of any industry, driving down software piracy rates in markets around the world.

Named one of the 50 most influential people in the intellectual property world, he was instrumental in putting into place the global policy framework that today protects software under copyright law. A widely respected champion for open markets, Holleyman also was appointed by President Barack Obama to serve on the President’s Advisory Committee for Trade Policy and Negotiations, the principal advisory committee for the US government on trade matters.

Holleyman was a leader in industry efforts to establish the legal framework necessary for cloud-computing technologies to flourish. He was an early proponent for policies that promote deployment of security technologies to build public trust and confidence in cyberspace. And he created a highly regarded series of forums for industry executives and policymakers to exchange points of view and forge agreements on the best ways to spur technology advances and promote economic growth.

Before heading BSA, Holleyman was a counselor and legislative adviser in the United States Senate, an attorney in private practice, and a judicial clerk in US District Court. He holds a bachelor’s degree from Trinity University in San Antonio, Texas, a J.D. from Louisiana State University, and has completed the Stanford Executive Program at the Stanford Graduate School of Business.

Leave a Reply

Your email address will not be published. Required fields are marked *

four + 16 =