Recapping Cybersecurity Week

Late last week, the House Republican leadership declared this Cyber Week – and who are we at Headlines to disagree? Here’s what we know what was decided as we go to press – along with some thoughts about what it all means. We start, perhaps uncharacteristically, at the end of the process.

On April 26, in an evening vote, the House approved the Cyber Intelligence Sharing and Protection Act (CISPA or HR 3523) 248-168. The Congressional Research Service summarized the legislation saying it will:

  • Amend the National Security Act of 1947 to add provisions concerning cyber threat intelligence and information sharing.
  • Define "cyber threat intelligence" as information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from: (1) efforts to degrade, disrupt, or destroy such system or network; or (2) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
  • Require the Director of National Intelligence to: (1) establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities, and (2) encourage the sharing of such intelligence.
  • Require the procedures established to ensure that such intelligence is only: (1) shared with certified entities or a person with an appropriate security clearance, (2) shared consistent with the need to protect U.S. national security, and (3) used in a manner that protects such intelligence from unauthorized disclosure. Provides for guidelines for the granting of security clearance approvals to certified entities or officers or employees of such entities.
  • Authorize a cybersecurity provider (a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes), with the express consent of a protected entity (an entity that contracts with a cybersecurity provider) to: (1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and (2) share cyber threat information with any other entity designated by the protected entity, including the federal government. Regulates the use and protection of shared information, including prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure.
  • Prohibit a civil or criminal cause of action against a protected entity, a self-protected entity (an entity that provides goods or services for cybersecurity purposes to itself), or a cybersecurity provider acting in good faith under the above circumstances.
  • Allow the federal government to use shared cyber threat information only if: (1) the use is not for a regulatory purpose, and (2) at least one significant use purpose is either for cybersecurity or the protection of U.S. national security. Prohibits the federal government from affirmatively searching such information for any other purpose.
  • Direct the Inspector General of the Intelligence Community to submit annually to the congressional intelligence committees a review of the use of such information shared with the federal government, as well as recommendations for improvements and modifications to address privacy and civil liberties concerns.
  • Preempt any state statute that restricts or otherwise regulates an activity authorized by the Act.

But since CRS last looked at the bill, there have been a number of amendments:

  • to clarify the bill's liability provision that the use of cybersecurity systems is the use of these systems to obtain cyber threat information. Accepted voice vote. [Offered by Mike Pompeo (R-KS)]
  • to clarify that regulatory information already required to be provided remains subject to FOIA requests, as under current law. Passed 412-0. [Offered by Mike Rogers (R-MI)]
  • to limit the use of shared cyber threat information for cybersecurity, investigation of related crimes, protection of people from danger, protection of minors from child pornography, and protection of U.S. national security. Passed 410-3. [Offered by Ben Quayle (R-AZ)]
  • to prohibit the federal government from using library records, firearms sales records, and tax returns from private entities under the bill. Passed 415-0. [Offered by Justin Amash (R-MI)]
  • to authorize the federal government to create reasonable procedures to protect privacy and civil liberties, consistent with the need for cybersecurity. Passed 416-0. [Offered by Mick Mulvaney (R-SC)]
  • to require the development of a list of all federal agencies receiving information about cyber threats. Accepted voice vote. [Offered by Jeff Flake (R-AZ)]
  • to clarify that nothing in the bill would alter existing authorities or provide new authority to federal agencies to install or use cybersecurity systems on private sector networks. Accepted voice vote. [Offered by Mike Pompeo (R-KS)]
  • to add language stating that entities who choose not to participate in the voluntary information sharing authorized by the bill are not subject to new liabilities. Accepted voice vote. [Offerded by Rob Woodall (R-GA)]
  • to narrow the definitions on what information may be identified, obtained and shared. Passed 414-1. [Offered by Bob Goodlatte (R-VA)]
  • to make a technical correction to definitions in the bill. Accepted voice vote. [Offered by Michael Turner (R-OH)]
  • to sunset the provisions of the bill five years after enactment. Passed 413-3. [Offered by Mick Mulvaney (R-SC)]

On April 26, the House also passed the Federal Information Security Amendments Act (HR 4257). The bill is aimed at updating the federal government's responsibility to manage its information systems so as to best thwart cyber threats. In sum, the bill:

  • Amends the Federal Information Security Management Act of 2002 (FISMA) to reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information and security policies and practices.
  • Expands the term "information security" to include authentication.
  • Defines "authentication" as the use of digital credentials to assure users' identities and validate access.
  • Extends the security requirements of federal agencies to include responsibilities for: (1) ensuring complementary and uniform standards for information systems and national security systems, (2) securing facilities for classified information, and (3) maintaining sufficient personnel with security clearances.
  • Directs senior agency officials to continuously conduct risk-commensurate: (1) testing and evaluation of information of security controls and techniques, and (2) threat assessments by monitoring information infrastructure and identifying potential system vulnerabilities. (Current law requires only periodic testing and evaluation.)
  • Directs agencies to determine information security levels in accordance with information security classifications and standards promulgated under the National Institute of Standards and Technology Act.
  • Directs agencies to collaborate with OMB and appropriate public and private sector security operations centers on security incidents that extend beyond the control of an agency. Requires that security incidents be reported to the appropriate security operations center and agency Inspector General through an automated and continuous monitoring capability.
  • Requires each agency to delegate to its Chief Information Officer the authority and primary responsibility for developing, implementing, and overseeing an agency-wide information security (AIS) program.
  • Directs agencies to implement an OMB-approved AIS program that is consistent with components across and within agencies. Requires that such program include automated and continuous monitoring to: (1) mitigate risks associated with security incidents before substantial damage is done; and (2) notify and consult with appropriate security operations response centers, law enforcement agencies, Inspectors General, and other entities or as directed by the President.

The bill was approved by unanimous consent after being brought up under a suspension of House rules. Suspension bills are usually non-controversial, and must pass by a two-thirds majority vote. The controversy was really about CISPA.

The CISPA vote that split both parties somewhat -- 42 Democrats supported it, while 28 Republicans opposed it. Opposition to the bill has come from the Center for Democracy and Technology, the American Civil Liberties Union, the Electronic Frontier Foundation, the Competitive Enterprise Institute, TechFreedom, FreedomWorks, Americans for Limited Government, the Liberty Coalition and American Conservative Union.

On April 25, the White House threatened to veto the bill if it reached the President’s desk. For its part, the Administration was seeking significant changes to boost privacy protections, add new protections on users' personal information and alter its liability protection language. Without adequate privacy protections, Administration officials warned, "the companies that run the Internet would no longer be accountable to the laws that protect privacy" and could "disclose very broadly, private sensitive information to the government.”

After the veto threat, House Speaker John Boehner (R-OH) attacked President Barack Obama saying, “The White House believes the government ought to control the Internet, government ought to set standards and government ought to take care of everything that’s needed for cybersecurity.” Speaker Boehner warned that "we can’t have the government in charge of our Internet." He said CISPA and the other cybersecurity bills on the House agenda are "commonsense steps that will allow people to communicate with each other, to work together, to build the walls that are necessary in order to prevent cyber terrorism from occurring." "There are more steps that are going to have to be taken beyond these, but this is a fundamentally different approach than what the White House and some want to do in terms of creating this monster here in Washington that could control what we’re going to see or not see on the Internet," Speaker Boehner said.

As early as last week, the Washington press corps noted the cybersecurity fissure between House leadership on one side and Senate Democrats and the President on the other. The White House and Senate Democrats argue CISPA is inadequate. They say any cybersecurity legislation should include tougher privacy protections and should require critical infrastructure systems to meet minimum security standards. Politico reported that the debate amounts to a high-stakes battle over national security and rising online threats that could easily spill into congressional elections and the race for the White House. Republicans counted on House Intelligence Committee Ranking Member Dutch Ruppersberger (D-MD) to garner enough Democratic support to claim CISPA is a bipartisan solution – and to pressure the Senate to approve the bill as well.

House Republicans run the risk that their bill will be seen as a Band-Aid on a mortal wound if the nation’s critical infrastructure is attacked. Even National Security Agency Director Gen. Keith Alexander said there need to be "some set of standards" that operators of critical infrastructure must meet when he testified before the Senate Armed Services Committee earlier this year.

In an interview with American Public Media’s David Brancaccio, former national security official Richard Clarke expressed concerns with both the House and Senate approach to cybersecurity. He said, “I think the major issue is regulation. The Senate bill, and the White House bill, propose something that looks like regulation but has no teeth; and the House bills oppose anything that looks like regulation at all. So this major issue of cyber security -- protecting our country -- has come down to a matter of ideology.” Of the Senate bill he said, “And it's not "all this regulation" -- it's a very simple idea, which is that the industries themselves would establish their own best practices. Then, against those best practices, the companies would be audited by a third party. I don't think that's a lot of regulation, and I think something as key as the electric power industry, or the oil and gas industry, should be protected because we're all relying on it and we need to know that they're living up to a set of standards.”

Past Clarke’s thoughts, former White House aide Susan Crawford offered some deeper concerns about the cybersecurity proposals: “This flurry of legislation signals that elements of our government want to wage unconstrained war on other nations in cyberspace, no matter what the consequences may be to humanity. The arms race being driven by this desire is threatening Internet freedom here and abroad.” Crawford concludes:

Given the undeniable benefits that the open global Internet has brought to the U.S., building moats around our networks and subjecting them to constant, unaccountable audits and other restraints -- all in the service of an immense online warfighting machine staffed by military contractors -- would be burning the village in order to save it. It cannot be that we have lost our national ability to think creatively, expand our policy options and engage with other nations to introduce the constraints of the laws of war into online settings. In space, we’re pursuing an international code of conduct that will govern acceptable behavior. We need to translate those norms to cyberspace.

Our openness has always carried some risks to the U.S. We can be attacked. We should always prefer principled engagement - - even with our enemies -- to bellicosity driven by fear, particularly when our own citizens will otherwise be deeply harmed. We don’t have enough guns to direct at everyone around the world. We might as well communicate.

As for crafting a legislative solution that honors civil liberties, the Center for Democracy and Technology recently offered a seven-step plan for Internet freedom. These "do's and don't's" include:

  1. Don't Turn Cybersecurity Into a Backdoor Wiretapping Program.
  2. Don't Give the Keys To the Castle to the NSA.
  3. Don't Hide the Ball on NSA Role.
  4. Don't Broadly Authorize Companies To Monitor their Customers.
  5. Don't Make Network Neutrality a Victim of Cybersecurity "Countermeasures."
  6. Don't Authorize the Government To Seize the Family Home When Junior Violates Somebody's Terms of Service.
  7. Do Narrowly and Carefully Define the Cybersecurity Information that Can Be Shared.

Looking ahead to next week, there’s a few events on the agenda we think will be of interest. We link to them below and, as always, look forward to seeing you in the Headlines.