Establishing Digital Trust: Don't Sacrifice Security for Convenience
WASHINGTON -- Amid the heated partisan strife that has accompanied the recent and ongoing debates over health care and financial regulatory reform, the idea of good-faith, productive negotiations that cross party lines on any significant issue seems a bit improbable these days.
John Rockefeller (D-W.V.) is betting that cybersecurity is an exception.
Rockefeller, the chairman of the Senate Commerce Committee, is in talks with Democratic leaders to arrange floor time to begin debate on the landmark Cybersecurity Act he is co-sponsoring with Maine Republican Olympia Snowe. A staffer told InternetNews.com that Rockefeller hopes to see the bill pass before Congress adjourns for the mid-term elections.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The Commerce Committee reported the Cybersecurity Act to the full Senate in March, almost a full year after Rockefeller and Snowe introduced the first draft of the bill.
In the intervening time, the senators substantially revised the bill three times in an effort to address the various concerns of the business community and civil liberties groups.
Rockefeller today thanked the BSA and its member companies for their work in helping reshape the bill, and sought to tamp down lingering concerns that even the revised version would impose rigid government standards for security audits on the private sector.
He argued that approaching the cybersecurity challenge as an either/or proposition between a heavy-handed government mandate and self-regulation in the free market, as so many policy debates are reductively defined, is a "dangerous and false choice."
"The government can't do this on its own, and neither can the private sector," he said. "We all recognize that traditional regulation will not work."
Compliance under the microscope
When the bill cleared committee, the BSA praised Rockefeller and Snowe for their work, but warned against creating a compliance-driven culture that would saddle businesses with burdensome reporting requirements and impede innovation in the security arena.
But Rockefeller today stressed that the bill aims to create market-driven standards for security, inviting businesses to develop best practices, which would then be used as the criteria for an independent audit process.
The standards process he envisions would be "flexible and dynamic, not bureaucratic and not burdensome," though he admitted that any form of compliance requirements necessarily carry costs.
At the same time, he warned the audience that if the bill stalls and cybersecurity policy remains an ad hoc proposition, the occasion of a devastating cyber attack could impel Congress to take a sterner course and establish an onerous set of regulatory requirements that would go well beyond what his legislation proposes.
"I think we can all agree here that effective cybersecurity simply is not possible without a reliable mechanism to evaluate performance, and we have yet to be presented with a viable alternative," he said. "For those who are still unhappy with our proposal, we welcome your ideas and your alternatives. We don't want complaints. We want better suggestions, better ideas."
Among the bill's other provisions is the establishment of a Cabinet-level cybersecurity coordinator who would report directly to the President, elevating the profile of the position President Obama created last year, which serves dually on the national security and economic councils. That position would be charged with harmonizing the cybersecurity efforts of the various departments and agencies in government, and take the lead in partnering with the private-sector firms that own and operate about 85 percent of the nation's digital infrastructure.
In that spirit of cooperation and sharing information, the bill would give select senior executives from the private sector access to classified government intelligence relating to cyber threats.
The most controversial provisions of the original bill have been removed from the version now pending before the Senate. Upon its introduction, the bill drew the ire of civil libertarians and others for including language that would allow the President to seize control of private networks and shut them down in the event of a so-called "cyber emergency." Similarly, privacy groups cried foul at the section that would have given the Department of Commerce the authority to supersede all existing privacy laws to combat an attack.
Instead, it instructs the relevant agencies and officials to engage in something like war games exercises to improve their preparedness for an attack.
While the bill no longer contains an Internet "kill switch" provision or the sweeping privacy mandate, the reaction in some quarters was visceral enough that some opponents still associate the legislation with a government takeover of the Internet. That is a stigma Rockefeller would be happy to leave behind.
"In case there is any remaining confusion, let me be clear: this bill does not create any new emergency powers for the president or anyone else in government. It does not," Rockefeller said. "It simply requires all key players to get together ahead of a crisis and prepare. If we have a cyber Katrina or a cyber 9/11, we want quick, effective action, not bureaucratic confusion."