Cybersecurity: Recent Legislation

I know, talking legislation is sexy stuff. But a short look back at some recent developments will be foundational to some important coming discussions.

The past several months have been packed with Cybersecurity legislation. Law making is inherently an iterative process and at the risk of sounding cynical, despite all the activity it’s fair to say we haven’t covered much new ground in 2015. But don’t interpret the following synopsis as cynicism. The legislation is absolutely indicative of substantive forward progress, but I feel there’s an opportunity at hand for larger leaps forward. A short recap of recent legislation and recurring themes to frame a later discussion:

Private Sector Information Sharing: 2015’s State of the Union address included a section focusing on Cybersecurity, specifically with a call for better efforts to “integrate intelligence.” Less than a month later, the President would raise that concern again at a Cybersecurity and Consumer Protection Summit. The summit featured the introduction of an Executive Order (EO) “Promoting Private Sector Cybersecurity Information Sharing.” Information sharing is hardly virgin ground for Cyber legislation.[i] The call for Cybersecurity Information Sharing and Analysis Organizations (ISAO) can be found in the Homeland Security Act of 2002, the 2013 State of the Union Address and the 2013 and 2015 versions of the proposed Cyber Intelligence Sharing and Protection Acts. The 2013 State of the Union Address also gave rise to its own EO (EO 13636) calling for the creation of a framework outlining processes for voluntary private sector information sharing. Two of four Cybersecurity bills passed late in 2014 called for similar collaboration, the Cybersecurity Enhancement Act and the National Cybersecurity Protection Act. Last month’s EO would add additional detail to ISAOs calling for formalized changes and updates to sharing policy as well as the creation of a non-government ISAO Standards Organization. If recent legislation has a predominant theme it’s “Please share…pretty please??”

Cyberspace as Critical Infrastructure: Legislation has also emphasized the protection of U.S. Cyberspace as key to economic, military and national security stability. Several sectors of U.S. Cyberspace were therefore defined as critical infrastructure in the Homeland Security Act of 2002. Provisions were made for critical infrastructure protection (CIP) in 2003’s Homeland Security Presidential Directive-7. Those CIP prescriptions were further refined in Cybersecurity guidance of 2013’s EO 13636 (titled Improving Critical Infrastructure“) & resiliency prescriptions of Presidential Policy Directive 21. And the Cybersecurity Enhancement Act of 2014 once again highlighted the importance of our cyber assets and infrastructure to American prosperity and well being. Second theme: “This stuff is important.”

Privacy and Civil Liberties Are Essential: There have been two recent long form attempts to describe privacy rights and civil liberties in Cyberspace, 2012’s Consumer Privacy Bill of Rights and last week’s 2015 version of the Consumer Privacy Bill of Rights. In the span between those two offerings preserving privacy has also been a stated outcome of 2013’s EO 13636, this year’s EO Promoting Private Sector Cybersecurity Information Sharing and The National Cybersecurity Protection Act of 2014. At one point President Obama also threatened to veto the 2013 version of the Cyber Intelligence Sharing and Protection Act if wasn’t amended to ensure privacy and civil liberty protections.

Now that the legal pedigree is behind us, that’s thirteen years of the same three part harmony:
Share information.”
Cyberspace is critical.”
Privacy is essential.”

And let’s be clear who the intended audience is – private sector. Because as of 2009 the vast majority of public sector organizations began some migration to some subset of the same government security standards. So after thirteen years, how are we still in roughly the same position? I believe it’s because, on their face, those three previous statements don’t provide enough incentive to bring the right stakeholders to consensus yet. I believe we’re close. I’ve offered what I think it will take to get us there absent some positive change. But I also believe public sector (and not necessarily just the Feds) has at least one more compelling incentive it can offer. I think evidence of that can be heard echoed here in the reactions of Trustwave’s Phil Smith, RSA’s Mike Brown and Denim Group’s John Dickson.

To be continued…

[i]  Information sharing is one means of attempting to scale efforts to combat an “open source adversary.” Open source adversaries, like cyber criminals and advanced persistent threats, can cheaply and easily replicate attack methods and vectors using scale to incredible advantage. J. Michael Daniel, cyber-security coordinator at the White House, gave this explanation of the counter tactic benefits: “We have seen industries that have increased their information sharing—such as in the financial services industry—and that does make a meaningful difference in being able to cut out a lot of the low-level attacks and intrusions. When you do that, then you can focus your humans on the more sophisticated intruders. I see this as a sort of baseline for us just to stay in the game.”  For a brief treatment on open source cyberwar see John Robb’s blog or the excellent example in his book Brave New War.