Joint Senate Committee Hearing on Cybersecurity: 3-Point Bulletin

Yesterday, the Senate Committee on Commerce, Science, and Technology and the Senate Committee on Homeland Security and Government Affairs held a hearing titled, “The Cybersecurity Partnership Between the Private Sector and Our Government: Protection Our National And Economic Security,” in which the recent Executive Order on voluntary cybersecurity standards was discussed extensively.

  • The Executive Order directs agencies to look into incentives that can be used under existing law to encourage businesses to opt into the voluntary cybersecurity standards. Secretary of Homeland Security Janet Napolitano revealed that amongst the incentives that DHS is considering are a federal procurement preference and granting some sort of governmental seal of approval. Napolitano contends that the market in and of itself has not provided sufficient incentive for all businesses to raise their cybersecurity standards.
  • Senator Jay Rockefeller (D-WV), Chairman of the Commerce Committee, and Secretary Napolitano agreed that H.R. 624, the Cyber Intelligence Sharing Protection Act (CISPA), is “wholly insufficient.” Rockefeller particularly stressed that cybersecurity is not an issue that Congress can afford to revisit every year in a piecemeal fashion, and a more comprehensive bill must be pursued. Napolitano agreed, citing perceived insufficiencies in CISPA, such as the lack of privacy concerns and authorizing the NSA to establish standards and share information instead of a civilian agency.
  • Senator Mark Warner (D-VA) voiced concern about unintended consequences that could arise from voluntary standards. Particularly, he was concerned that the standards could create a free rider problem, stagnant standards, or entrenched standards. Complying with stagnant standards, he worried, would be both dangerous and potentially wasteful. He was also concerned that entrenched standards could create a costly, complex barrier to entry for new businesses in certain industries.

 

Cybersecurity 3-Point Bulletin

What’s currently being done?

The Cybersecurity Act of 2012, that was defeated in the Senate in August, provides strengthened protection against cyber attacks in the federal government and in private, critical infrastructure systems. The bill would allow the government and private enterprises the ability to share information about threats more easily. In the absence of legislation, the Obama administration has indicated that it is prepared to move forward with an Executive Order that addresses key issues.
 

Is the legislation dead?

Not exactly. While the Cybersecurity Act of 2012, which is a bipartisan bill supported by a majority of Senators, did not survive a procedural vote in August, Senate Majority Leader Harry Reid (D-NV) has stated that the bill will be revisited after the November elections. Secretary of Defense Leon Panetta and General David Alexander, head of U.S. Cyber Command have both urged congressional action on cybersecurity after the election.
 

What’s the difference between the potential Executive Order and legislation?

The Executive Order would set policy under current law in regards to cybersecurity standards on critical infrastructure. The Executive Order cannot provide liability protection. A cybersecurity bill that passed the House in April and the Senate Cybersecurity Act both provided liability protection for private entities that shared information regarding cyber threats with the Administration. Without the incentive of liability protection, an Executive Order cannot be as effective as legislation.