For more than a decade, addressing vulnerabilities in our nation's cybersecurity has been a policy priority for the executive and legislative branches of our government. As technology has rapidly advanced and use of the Internet, among other things, has grown, so too has the risk of attacks on critical information technology infrastructure, large-scale invasions of privacy, and the concomitant need for new federal standards and solutions.
This need has merited attention from policy makers because the impact of a serious attack would be debilitating to the nation's security, economy, public health, or some combination of all three. Examples of the types of infrastructure at significant risk for attack are:
* Communication networks;
* Power grids;
* Water supply distribution systems;
* Air traffic systems; and
* Banking and financial institutions.
Attempts to infiltrate vital US business sectors and government agencies have grown exponentially. The Department of Commerce estimates that, in the first quarter of this year, there were approximately 67,000 new malware threats on the Internet every day, a pace more than double the number in 2009.
As these attacks increase, security policy and technological capabilities need to improve to address the threats. In recent months, high-profile breaches of data at prominent companies like Google and Sony, as well as at the US Senate and the Pentagon, have elevated the level of concern for both the public and private sectors of our economy. A new study conducted by the Intelligence and National Security Alliance (Study) found that those intending to conduct attacks on the vital information technology systems of private businesses have grown so sophisticated that the possibility of a potentially catastrophic attack has increased exponentially. The Study goes on to urge the US government to develop cyberintelligence as a new and better coordinated government discipline that can predict and deter computer-related threats. The Study echoes a finding by the Government Accountability Office in July 2011, which concludes that cyberattacks on the US government are growing more frequent and that the US government has been slow to react despite more than a decade of open and notorious threats.
This article reviews current cybersecurity policy proposals intended to enhance our nation's security from a cyberattack and punish wrongdoing and recent proposals intended to set national data breach notification standards and develop public-private voluntary security standards.
Focus of Recent Administrations on Cybersecurity
The advent of the Internet has caused recent administrations to grapple with the issues surrounding cybersecurity. Briefly set forth are a few prominent examples of such efforts emanating from the administrations of Presidents Clinton, George W. Bush, and Obama.
In 1998, the Clinton administration recognized the United States' "growing potential vulnerability" to a cyberattack. In Presidential Decision Directive 63, President Clinton stated his intention to take "swift action" to shore up the nation's cybersystems.
Following 9/11 and the creation of the Office and then Department of Homeland Security (DHS), a 2005 task force established by the Bush administration reported to President Bush that the "IT infrastructure is highly vulnerable to premeditated attacks with potentially catastrophic effects." A review, conducted by the Center for Strategic and International Studies in 2008, of the Bush administration's work to address these vulnerabilities found that, while senior administration officials said that they considered cybersecurity "one of the greatest security challenges the United States faces ...," the nation continued to lack a comprehensive strategy to address the threat and recommended the implementation of a national strategy for cyberspace led by the White House. The report also noted that US computer crime laws are outdated and insufficient to combat modern cybercrime.
Similarly, the Obama administration has identified weaknesses in our nation's ability to protect against a cyberattack. A 2009 review of the federal government's cybersecurity infrastructure found that cyberattacks and protecting the nation's infra-structure were some of "the most serious economic and national security challenges we face as a nation." Aside from advocating for a comprehensive policy, the review also made a number of short-term recommendations that would enhance the nation's cybersecurity quickly. In January 2011, the National Security Cyberspace Institute published an evaluation of how the administration was faring in implementing these recommendations and gave a mixed assessment. The report was highly critical of the Obama administration's failure to appoint a cybersecurity coordinator until December 2009, saying that the delay was due to "a number of internal squabbles over authorities, responsibilities and chain of command." The report was far more positive about the administration's work with other nations in developing an international cybersecurity policy and its efforts to raise awareness among the public about the threats posed by cybersecurity and the need for a highly trained workforce to combat the threats.
In May 2011, the Obama administration sent to Congress a legislative proposal (Obama proposal) intended to lay the foundation for codification of its federal cybersecurity policy. The Obama proposal (including definitional criteria as noted below) consists of several components that would have significant implications for the cybersecurity practices of major sectors of the economy, including the defense, telecommunications, energy, electric, and banking industries. Following is a very brief summary of some key substantive and definitional provisions of the Obama proposal.
* National Data Breach Reporting: If a business determines that an intruder has succeeded in achieving a security breach and gains access to consumers' sensitive personally identifiable information, that company is required to notify the affected consumers within one year (if the breach impacts 10,000 or more consumers). Currently, 47 states have various notification requirements. The Obama proposal is intended to harmonize the breach-reporting process and thus contains a preemption provision creating one federal standard.
* Strengthens Existing Law to Prosecute Cybercrime: Amends the Computer Fraud and Abuse Act (CFAA), by making violations of the CFAA predicate offenses to the Racketeer Influenced and Corrupt Organizations Act (RICO). The Obama proposal would also mandate a minimum three-year sentence for cybercriminals who cause or knowingly attempt to cause damage to critical infrastructure that either leads to or would have led to substantial impairment of critical infrastructure computers.
* Creating a Voluntary Assistance Program: The Obama proposal suggests the creation of a voluntary government assistance program for businesses and state and local governments that suffer a cyberattack.
* Critical Infrastructure Defense: The legislative proposal outlines a system for identifying and protecting the nation's "critical infrastructure." The proposal requires operators of identified critical infrastructure to implement cybersecurity plans and authorizes the DHS to review these operators' cybersecurity plans, monitor compliance with such plans, and take other actions to ensure that critical infrastructure operators are sufficiently addressing identified cybersecurity risks.
* Cybersecurity Management: The Obama proposal formally establishes DHS as the agency responsible for executive branch information security, including the authority to implement binding policies and directives relating to information security, review compliance with such policies and directives, and designate an entity to receive reports about cyberthreats, incidents, and vulnerabilities.
* Recruitment and Retention of Cybersecurity Professionals: The legislative proposal gives DHS the authority to establish cybersecurityrelated positions and set up a scholarship program to ensure that these positions are filled with desirable candidates well-trained in the field of cybersecurity.
In addition to the Obama proposal sent to Congress in May, the Obama administration is pursuing other means (that do not require Congressional approval) to enhance the nation's cybersecurity. In June, the Department of Commerce's Internet Policy Task Force released a report that identified several opportunities for public/private partner-ships to strengthen the cybersecurity of companies that use the Internet to conduct business but are not part of the critical infrastructure sector (and therefore outside of the scope of the President's proposal). In the report, Cybersecurity, Innovation and the Internet Economy, the Department proposes the establishment of a national, but completely voluntary, set of codes of conduct to minimize cyber-security vulnerabilities. For example, the report recommends that businesses use best practices, such as automated security, to counter cybersecurity threats and that they implement the Domain Name System Security (DNSSEC) protocol extensions on the domains that host key Web sites. The report also recommends creating incentives for companies to protect against cybersecurity threats. These incentives could include reducing "cyberinsurance" premiums for companies that adopt best practices and openly share details about cyberattacks for the benefit of other businesses.
Recent Congressional Focus on Cybersecurity
Since the terrorist attacks of September 11, 2001, updating data security has consistently been an issue upon which both parties in Congress have attempted to work together. Despite this, enactment of a comprehensive package of meaningful reforms has remained elusive.
To date, the Obama Proposal has not been introduced in either the House or Senate. However, in testimony given before the Senate Appropriations Committee on September 7, 2011, Deputy National Security Advisor John Brennan testified that passing cybersecurity legislation should be one of Congress' top priorities. The Obama administration's strong emphasis along with the incidence of several high-profile cyberattacks, including Sony, Google, the Pentagon, and the US Senate, has led to the introduction of several legislative cybersecurity bills by members of Congress (see below for a description of these bills).
Further, in the House, Speaker John Boehner (R-OH) appointed Representative MacThornberry (R-TX) to lead a Republican-only task force to review the Obama proposal and to report back to Speaker Boehner with its own set of recommendations for addressing cybersecurity in the United States (Task Force Bill). While the Task Force reported that the threat posed by cyber attacks is "real and immediate,"1 it did not endorse addressing cybersercurity through comprehensive legislation. Rather, the report supports the creation of voluntary incentives for companies to enhance their cybersecurity capability over government regulation. The report added that each House committee with jurisdiction over the issue should hold hearings and develop legislation that streamlines what it considers redundant regulations. Advocating a more conservative a la carte approach, as the Task Force has, is not only at odds with the Obama Administration but also quite likely with the Senate, where the staff for Majority Leader Harry Reid and Minority Leader Mitch McConnell are working together on a comprehensive bill that they intend to have available in the coming months (Reid-McConnell Bill).
It is expected that both the House and Senate will vote on legislation by the end of the year, with the House likely moving to create the voluntary incentive program, while the Senate considers the Reid-McConnell Bill. Leadership in the Senate will then have to decide whether it wants to pass the House's bill, which will likely not include the large scale reforms that the Senate seeks, or try to convince the Republican leadership in the House to consider its comprehensive bill.
In addition to the work being done by House and Senate leadership on comprehensive legislation, there are also ten bills in the Senate and seven bills in the House that deal with significant components of the cybersecurity issue. While it is increasingly unlikely that any of these bills will receive an up or down vote in either the House or Senate, a close examination of the bills (which are listed below) identifies key areas where there seems to be agreement between Congress and the President. Therefore, it is important to note these provisions as they are likely to form the framework of any comprehensive package:
* There is bipartisan support for the creation of a national breach-notification standard. Today, 47 states have established notification laws. This has created a tremendous burden on businesses that, after suffering an attack, have had to identify and adhere to each state's myriad rules.
* Another one of President Obama's proposals that has support in both chambers creates an office within the Executive Office of the President whose sole objective is to monitor and advise the President on cybersecurity matters.
* There is bipartisan and bicameral support for legislation directing funds to develop new methods of identifying cyberattacks and to train personnel in these methods. The Obama administration also identified the need for more trained staff.
* S. 372: Cybersecurity and Internet Safety Standards Act
Sponsor: Senator Ben Cardin (D-MD)
Status: This bill was introduced on February 16, 2011 and referred to the Senate Committee on Commerce, Science, and Transportation.
Summary: This bill seeks to reduce the ability of terrorists, spies, criminals, and other malicious actors to compromise, disrupt, damage, and destroy computer networks, critical infrastructure, and key resources, and for other purposes. DHS will achieve this by encouraging entities in the private sector to develop and enforce voluntary or mandatory minimum cybersecurity and Internet safety standards.
* S. 413: Cybersecurity and Internet Freedom Act of 2011
Sponsors: Senators Collins (R-ME), Carper (D-DE), and Lieberman (I-CT)
Status: Committee on Homeland Security and Government Affairs held a hearing on the bill May 23, 2011.
Summary: Establishes an office in the Executive Office of the President that will advise the President on cybersecurity issues. The act also establishes a National Center for Cybersecurity and Communications at the Department of Homeland Security (DHS) which will be responsible for leading federal efforts to protect public and private sector cyber and communications networks.
* 799: Commercial Privacy Bill of Rights Act of 011
Sponsors: Senators Kerry (D-MA) and McCain (R-AZ)
Status: This bill was introduced on April 12, 2011, and referred to the Senate Committee on Commerce, Science, and Transportation.
Summary: Would impose new rules on companies that gather personal data, including offering people access to data about them, or the ability to block the information from being used or distributed. Companies would have to seek permission before collecting and sharing sensitive religious, medical, and financial data with outside entities.
* S. 813: Cyber Security Public Awareness Act of 2011
Sponsor: Senator Sheldon Whitehouse (D-RI) and Senator Jon Kyl (R-AZ)
Status: This bill was introduced on April 13, 2011, and referred to the Committee on Homeland Security and Governmental Affairs.
Summary: his bill is intended to promote awareness of cybersecurity. he bill, once enacted, mandates that different government agencies provide information to Congress on what plans exist for prosecuting cybercriminals, reacting to significant private sector incidents, reporting cybercrime to shareholders, regulating critical infrastructure, protecting the information security supply chain, and trying cybercriminals in federal courts.
* S. 1151: Personal Data Privacy and Security Act of 011
Sponsor: Senator Leahy (D-VT)
Status: Committee on Judiciary held a markup on September 15, 2011.
Summary: Would require companies to disclose cyberattacks that jeopardize consumers' personal information. It would also make the concealment of a data breach a crime. The Leahy measure does not give a specific timeframe for making such reports.
S. 1152: Cybersecurity Enhancement Act of 2011
Sponsor: Sen. Robert Menendez (D-NJ) Status: The bill was introduced on June 7, 2011, and was referred to the Committee on Commerce, Science, and Transportation. Summary: This bill outlines a strategic plan to continue funding for National Science Foundation (NSF) scholarships, encourage research and innovation in the field of cybersecurity at institutions of higher learning, and train future computer security professionals who will use their acquired skills in the federal workforce.
* S. 1207: Data Security and Breach Notification Act of 2011
Sponsors: Senators Pryor (D-AR) and Rockefeller (D-WV)
Status: The bill was introduced on June 15, 2011, and was referred to the Committee on Commerce, Science, and Transportation. Committee hearing scheduled for September 21.
Summary: Would require companies that own or possess data containing personal information to establish "reasonable" security policies and procedures to protect that data. If a security breach occurs, entities would have to notify affected individuals. Consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.
* 223: The Location Privacy Protection Act
Sponsors: Senators Franken (D-MN) and Blumenthal (D-CT)
Status: The bill was introduced on June 16, 2011, and was referred to the Committee on Commerce, Science, and Transportation.
Summary: The bill requires companies that operate smart phones, like Apple and Google, to get permission from users before sharing geolocational data with third parties.
* 1408: Data Breach Notification Act of 2011
Sponsor: Senator Feinstein (D-CA)
Status: Senate Judiciary Committee held a mark up on September 15, 2011.
Summary: Requires notification of consumers when their personal and sensitive identifiable information (including Social Security numbers, pass-words, or credit card account numbers) is breached and made available to unauthorized users.
* 1434: Data Security Act of 2011
Sponsors: Senators Carper (D-DE) and Blunt (R-MO)
Status: The bill was introduced on July 28, 2011, and was referred to the Committee on Banking, Housing, and Urban Affairs.
Summary: Similar to S. 1408, this bill would require businesses that handle sensitive consumer data, in any electronic or paper format, to implement information security safeguards, investigate security breaches, and notify consumers if their "sensitive account information" or "sensitive personal information" in a readable or usable form is breached.
* S. 1535: The Personal Data Protection and Breach Accountability Act of 2011
Sponsor: Senator Blumenthal (D-CT)
Status: Judiciary Committee held hearing September 7, 2011.
Summary: Would impose new regulations on companies that store online data for more than 10,000 people. These rules would require companies to follow specific storage guidelines and ensure that personal information is stored and protected correctly. Companies that do not adhere to these security guidelines could be subject to financial penalties.
* R. 76: Cybersecurity Education Enhancement Act
Sponsor: Representative Sheila Jackson-Lee (D-TX-18)
Status: This bill House Committee on Science and the House Committee on Education and the Workforce.
Summary: This bill authorizes the Secretary of Homeland Security, in conjunction with the National Science Foundation, to establish a program to give grants to institutions with cybersecurity professional development programs, and establish an E-Security Fellows Program.
* H.R. 174: Homeland Security Cyber and Physical Infrastructure Protection Act
Sponsor: Representative Bennie G. Thompson (D-MS-02)
Status: This bill was introduced on January 5, 2011, and was referred to the House Committee on Homeland Security.
Summary: This bill amends the Homeland Security Act of 2002 to establish a cybersecurity compliance division in the Office of Cybersecurity and Communications. It requires the Assistant Secretary to chair an interagency working group to develop cybersecurity requirements for government computer networks and critical infrastructure. It also gives DHS stronger authority to take action against noncompliance, as well as to suggest cybersecurity requirements for private sector companies classified as critical infrastructure.
* H.R.1136: Executive Cyberspace Coordination ct of 2011
Sponsor: Representative Langevin (D-RI-2)
Status: Referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Homeland Security.
Summary: Like S. 413, this bill would establish a National Office for Cyberspace within the Executive Office of the President responsible for evaluating and enforcing requirements for federal agencies to protect themselves and the public from a cyberattack. The office would also be charged with insuring that the government purchases the most advanced and secure technology possible, and trains a workforce with the ability to prevent cyberattacks.
* .R. 1528: Consumer Privacy Protection Act of 011
Sponsors: Representatives Cliff Stearns (R-FL-6) and Jim Matheson (D-UT-2)
Status: Referred to the sHouse Committee on Energy and Commerce.
Summary: Requires covered entities to alert consumers whenever their personal information is used for a purpose beyond the intended transaction.
* R. 1707: Data Accountability and Trust Act
Sponsors: Representatives Rush (D-IL-1), Barton (R-TX-6), and Schakowsky (D-IL-9)
Status: Referred to the House Committee on Energy and Commerce.
Summary: Under this legislation, following discovery of any unauthorized acquisition or access to electronic data containing personal information, businesses would be required to notify the FTC and any resident of the United States whose personal information was acquired or accessed within 60 days. Where notice is required to 5,000 or more individuals, the major credit reporting agencies would also need to be notified.
* R. 2096: Cybersecurity Enhancement Act of 2011
Sponsor: Rep. Michael T. McCaul (R-TX-10) Status: The bill was unanimously approved by the House Committee on Science, Space, and Technology on July 21, 2011.
Summary: This bill is similar to S. 1152. It outlines a strategic plan that would continue funding for National Science Foundation scholarships, encourage research and innovation in the field of cybersecurity at institutions of higher learning, and train future computer security professionals who will use their acquired skills in the federal workforce.
* .R. 2577: Secure and Fortify Data Act (SAFE Data Act)
Sponsor: Representative Bono-Mack (R-CA-45)
Status: Approved by Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade July 20, 2011, and is now awaiting mark-up by full committee.
Summary: Would require organizations to notify people affected by a data breach and the Federal Trade Commission (FTC) within 48 hours. The bill would expand the FTC's powers by giving it authority to levy civil penalties if companies or entities fail to respond to data breaches in a timely and responsible manner.
Cybersecurity legislation will very likely be taken up and passed by Congress in the near future. Work is currently being conducted in both government and the private sector that will impact greatly the content of comprehensive cybersecurity legislation.
(1.) Recommendations of the House Republican Cyber-security Task Force, p.5 (Oct. 5, 2011), at http://thornberry.house.gov/UploadedFiles/CSTF_Final_Recommendations.pdf.
Mark R. Heilbrun and Isaac Brown, a partner and public policy advisor, respectively, in the Washington, DC, office of Edwards Wildman Palmer LLP. The authors may be reached at firstname.lastname@example.org and email@example.com, respectively.