Well, that headline might be premature. Unless something dramatic happens in the lame duck session after today’s midterm elections — which appears unlikely — we will not have a cybersecurity bill this year. And that might not be such a bad thing, because while lawmakers have made some good headway on cybersecurity issues in the 111th Congress, challenging questions remain.
With Cybersecurity Awareness Month now behind us, it seems an appropriate time to pause and review the bidding that has brought us to this point.
Two major cybersecurity bills have made it through committee in the Senate and a considerable amount of work has been done to reconcile them into a package that could yet provide the framework for a final deal. (The current iteration of the text has not been published, so I can’t offer a detailed critique of it.) The two bills — one authored by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) and the other by Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.) — include a series of provisions that would do a great deal to bolster cybersecurity. Those include:
- Reforming the Federal Information Security Management Act (a.k.a., “FISMA”) to ensure federal agencies secure their IT systems.
- Investing in research, development and skills, because public R&D is critical to complement private efforts — and because federal agencies need a capable cybersecurity workforce.
- Developing a national cybersecurity strategy and raising public awareness to mobilize both government (think war planning) and society at large (think victory gardens).
But chief among the remaining challenges, from the software industry’s perspective, is the issue of how to ensure that companies have the flexibility to develop new cybersecurity solutions as quickly as threats emerge. As I alluded in my last post, we have to be able to learn and adapt to a rapidly changing threat landscape, so Congress should avoid imposing overly prescriptive technology mandates.
In practice, that means measures to ensure that federal agencies procure secure technology products and services should be based on international, industry-led standards and best practices, rather than government-specific ones. This approach would preserve US access to commercial off the shelf (COTS) technologies, which are developed for a global base of government and commercial users. That in turn lowers acquisition costs while increasing choice and interoperability. More importantly, it allows the government to leverage the considerable R&D investments of the global COTS technology industry, which will continue to spur more innovative and more secure technology.
There are other outstanding issues, too, such as how owners of critical IT and communications infrastructure would be obliged to comply with a new cybersecurity regime. The progress that Congress has made is encouraging, but with such important issues still unresolved it would probably be unwise to rush a legislative package through a lame duck session. Let’s just hope we’re not still talking about this the next time Cybersecurity Awareness Month rolls around.