What will the future of cyber security legislation hold?
Movies like Blackhat, Live Free or Die Hard, and other doomsday predictions about cyber terrorists taking over a power plant, nuclear reactor or gas pipeline once seemed far-fetched. Today, they are much closer to reality. News reports almost daily tell of another data breach of consumer information, attack on a major company, or a nation-state seeking to penetrate American defenses. Public support of the need to act has reached a point where elected leaders are preparing to draft legislation to try and stem the tide of successful attacks and ensure the protection of critical assets and consumer information.
Legislative attention to cyber issues is coming
President Barack Obama will give the State of the Union address later this evening, and is expected to talk about the importance of cyber security and the actions he believes are needed to address the issue. In setting up the discussion, the President addressed the need to ensure safe use of the Internet and all it has to offer. President Obama followed that up by speaking at the Department of Homeland Security highlighting the need for government to work with the private sector to “defend ourselves against cyber-attacks.” SNL News quoted the President saying, “… as we have been reminded over the past year … extraordinary interconnection creates enormous opportunities, but it also creates enormous vulnerabilities for us as a nation and for our economy, and for individual families.” The President’s focus seems to be on protecting consumers at a granular level to ensure they can safely engage in commerce via the Internet.
President Obama is not alone in the calls for government to step up its efforts to assist the private sector in dealing with cyber issues. Republican Senator Orrin Hatch, who chairs the Senate Finance Committee, spoke of the need for all relevant congressional committees to try and iron out a “comprehensive, legally sound and practical legislative strategy for protecting and defending United States critical infrastructure from cyber-attacks,” as reported in SNL News on January 16, 2015. Hatch went on to say that no one government agency is responsible for cyber security and defense, and it is Sen. Hatch’s view that, “… we need to grab this bull by the horns and do something about it.” Former Representative Mike Rogers, who chaired the House Intelligence Committee until leaving Congress, was sounding the alarm on cyber issues as early as 2011, and introduced the Cyber Intelligence and Information Sharing Act (CIPSA) to address those concerns.
What are the competing interests?
While there is seemingly bi-partisan support to do something, there is likely to be a wide disparity about exactly what needs to be done and by whom. To further complicate the issue, there is the question of which segments of the cyber world need to be the focus of the legislative effort – consumers, critical infrastructure or both. Not surprisingly, the devil is in the details.
Privacy advocates oppose too much government access to personal information and information control. Cyber security experts responsible for protecting and maintaining consumer information affirm the need for assistance in defending attacks from nation-states and organized attackers. And, the public, seeks absolute security of their consumer and personal data, while not granting the government “too much” access to their personal affairs and offending the Constitutional protections against an unreasonable search.
The second and equally significant problem takes place in the court of public opinion. If the government does “too much” to protect its citizens and secures information it would not otherwise have access to, individual citizens have concern that their information is not shared with other government agencies, like the Internal Revenue Service. On the other hand, if the government fails to adequately protect individuals and cyber attacks result in the unauthorized disclosure of personal information, the cry of incompetence will undoubtedly occur. Perhaps most confounding is that these specific complaints will be made and, in fact, have been made in data breach cases like Target, Home Depot, and others where it was deemed the company did not do “enough” to protect itself from cyber penetration. The issue is rife with peril. Perfection, while impossible, is the expectation. But, the likelihood of a breach of some kind continues to increase.
At its core, one of the central problems with trying to craft a legislative solution to the cyber security issue is that companies have to admit the weaknesses in their systems. Some of those weaknesses may be known, while others may have been identified internally and are not yet in the public domain. To place a company or government agency in this position is not reasonable. For example, at least one state commission, in an attempt to get a better understanding of the exposures and efforts being made to defend against cyber attacks against its utilities, sought answers from the utilities in a public docket in a very detailed list of questions that would have forced the utility to publicly disclose their cyber challenges. As you can imagine, the utilities were not inclined to expose their strengths and weaknesses in a public manner and draw a map for bad actors on how to attack their systems. The state commission rethought their request and no public response ultimately was required.
Perhaps the biggest challenge facing policy makers is the ability to get accurate, timely information to inform their policy development and to ensure it will not be disclosed. While efforts of some organizations and Congressional committees, particularly those involving national security (e.g. DHS, FBI, etc.), can avoid public disclosure of classified information, congressional hearings are typically open to the public. Senator Hatch’s request that all committees work together on the issue will undoubtedly make it more challenging to minimize the potential leak of information to nefarious characters who seek to harm the United States.
What is already being done?
While perhaps not widely reported, state legislatures, state public utility commissions, the Federal Energy Regulatory Commission, and the North American Electric Reliability Corp. have been working for years with the owners and operators of much of the energy related critical infrastructure to address cyber issues. Some of those bodies have also sought to address issues outside of the utility landscape and deal with fundamental consumer data protection issues. Also, the United States Dept. of Energy and the Federal Smart Grid Task Force established and released a “voluntary code of conduct” for utilities to protect consumer information just last week. While much of this work happens out of the public eye, it is happening.
What is plainly understood is that cyber issues are critically important, they impact all sectors of the business and national security worlds, and there is a growing expectation from the public that “all reasonable steps” are being taken to protect them from a cyber-related issue while not offending the right of an individual to be free from improper government intrusion. In the coming weeks, proposed legislation is likely to be introduced and hearings about what to do, who will do it, and how critical infrastructure and consumer data can be protected will be at center stage.