Congress returns this week with cybersecurity as one item on a long list of priorities that may or may not be addressed in the final months of the year.
The Cybersecurity Information Sharing Act has been teed up for Senate action this fall, amid strong support from the business community. But there is still no definitive date for floor consideration, and online privacy groups are mounting their own campaign to sink the measure.
Other cyber issues — such as better securing the government’s own networks, updating criminal law to address cyber challenges, Electronic Communications Privacy Act reform, consumer data-breach notification, incentives for cyber improvements by business and cybersecurity in advanced automobile technologies — are also waiting in the wings.
When it comes to cybersecurity legislation, “waiting” is usually the operative word on Capitol Hill.
But when it comes to broader cybersecurity policy, there were a series of dramatic developments while lawmakers were away this summer.
A U.S. appeals court on Aug. 24 affirmed the Federal Trade Commission’s authority to enforce cybersecurity standards.
“In light of the 3rd Circuit’s decision, companies should be on immediate notice that they are likely subject to continued — and, quite possibly, increased — FTC enforcement actions for their cybersecurity practices based on currently existing FTC guidance,” the law firm Akin Gump said in a client alert.
On Aug. 26, the Pentagon released a long-awaited rule requiring defense contractors to report breaches on their networks.
And just a couple of weeks earlier, the White House Office of Management and Budget proposed new rules for all government contractors on improving the cybersecurity of their supply chains.
Considering the broad scope of contracting between federal agencies and the private sector, these rules almost inevitably will drive up cybersecurity efforts — and spending — throughout the economy.
That was the disciplinary and regulatory side of government’s approach; there were also developments on the partnership side. For instance, the Federal Communications Commission’s industry-led advisory council finally got to work on its next collaborative endeavor on cybersecurity.
This one will address barriers to cyber information sharing, “security by design” in telecom devices and bolstering the cyber workforce. Breakthroughs between telecom industry leaders and regulators at the FCC could provide important lessons for other business sectors.
Info-sharing legislation may be lagging in Congress, but the FCC’s leaders seem determined to work independently with industry to see if barriers to sharing can be reduced in the telecom sector.
The Department of Homeland Security was busy on the info-sharing topic too, advancing an initiative spawned by President Obama’s February executive order that called for new industry-based “information sharing and analysis organizations.”
And the Commerce Department announced details of a new “multistakeholder process” aimed at getting cybersecurity researchers and the vendors of security products on the same page — rather than at one another’s throats — when it comes to revealing vulnerabilities in software.
In sum, August was one of the most consequential months ever in cyber policy, thanks to the executive and judicial branches.
Now, it would seem to be lawmakers’ turn to pass information-sharing legislation and perhaps a passel of smaller cybersecurity bills.
But the Senate — where cyber info-sharing legislation is hung up — will be in session for only 13 more weeks this year, and some of those are partial weeks abbreviated by holidays.
September already looks like a washout when it comes to cyber. “I have some level of confidence that it won’t be in September,” said Gregory Nojeim of the Center for Democracy and Technology, a leading opponent of the pending Cybersecurity Information Sharing Act.
The Iran nuclear deal comes up first, and the papal visit and Jewish holidays will also limit available floor time. Congress needs to reach some kind of funding agreement to prevent a government shutdown on Oct. 1. After that, issues like increasing the debt ceiling will also eat up floor time.
If the cyber info-sharing bill does advance, the online privacy community is promising to make things miserable on the Senate floor for CISA backers.
CDT’s Nojeim last week said opponents will encourage their Senate allies to use procedural tactics to delay the bill, and then will wage war over the substance if and when floor debate gets started. Nojeim conceded there is “a lot of pressure” to move CISA through the Senate, but asserted, “Delay is the enemy of this bill.”
Online privacy groups believe the very premise of the legislation is so flawed that there is no way to make it acceptable through amendments on the floor.
“We’ve objected from the outset to the premise of the bill — pre-empting all law in the service of cybersecurity,” Nojeim said. “They’re not going to change that.”
Nojeim added, “The surgery on this bill that would be required would be so significant that you wouldn’t recognize the bill afterward.”
Business groups have countered with a summer-long campaign aimed at clearing up alleged misconceptions over the CISA bill, which was developed by Intelligence Chairman Richard Burr, R-N.C. and ranking member Dianne Feinstein, D-Calif.
It passed the Intelligence Committee in March on a 14-1 vote. Similar legislation has already passed the House, and the White House has urged the Senate to get on with passing its version so final negotiations can get underway.
In the meantime, the business-based Protecting America’s Cyber Networks Coalition has attempted to refute charges that CISA is a “surveillance bill,” and to emphasize the limited — and anonymous — types of data that would actually be shared.
Beginning this week, the prospects for an actual floor debate should begin coming into better focus.
View the original content and more from this author here: http://ift.tt/1EMpSqH
from cyber security caucus http://ift.tt/1JObxJe
via IFTTT
No comments:
Post a Comment