Could it be that after years of false starts and dashed hopes, the logjam is about to break on cybersecurity legislation? It is too soon to be sure, but one thing is abundantly clear: There is significant movement in both chambers of Congress.
Senate Majority Leader Harry Reid has informed Minority Leader Mitch McConnell that he intends to bring comprehensive cybersecurity legislation to the floor in the first working period of the New Year. The ranking Republican members of four key Senate committees countered with a letter to President Obama urging that cybersecurity legislation focus on four near-term measures for which there would likely be broad support: information sharing, reforming the Federal Information Security Management Act (FISMA), updating criminal penalties and enforcement tools, and ramping up R&D. The group recommended deferring action on more complex and contentious issues, such as regulation of critical infrastructure and supply chains.
The House has already settled on a piecemeal approach to cybersecurity. The first session of the 112th Congress came to a close with bills up for consideration on a range of discrete security issues, from data breach and notification rules, to information sharing, to cyber espionage.
As Symantec’s Cheri McGuire (no relation) wrote here recently, the growing volume and sophistication of cyber threats underscore the pressing need for effective cybersecurity policies. All the momentum in Congress offers hope. But election-year politics being what they are, pragmatism should be the watchword when lawmakers reconvene. Several measures should rise to the top of the agenda, because they would have a real impact on cybersecurity and should also garner bipartisan support:
- Promote information sharing about security threats with government and between companies.
- Improve the government’s own cybersecurity by reforming FISMA so agencies engage in continuous monitoring instead of “check the box” exercises.
- Deter and punish cybercrime by enacting strong laws, increasing law enforcement resources, and directing the US government to engage and cooperate internationally.
- Support cybersecurity R&D with incentives for the private sector and a national plan for basic and long-term research into technology solutions that are not commercially available.
- Require sensible data-protection measures and breach notification rules. As Robert Holleyman testified in June, those responsible for holding data should take appropriate security measures, consistent with the sensitivity of the data entrusted to them, and when a breach poses significant risk of harm, customers and consumers should be notified promptly.
Two sessions of Congress have come and gone since BSA released a Global Cybersecurity Framework that championed a set of core principles for cybersecurity — starting with trust, innovation, and calibrated risk mitigation. With luck and a measure of bipartisan resolve, the 2012 session may turn those principles into law.