Capitol Hill's cyber focus is good and bad
DLT Solutions' cyber expert Don Maclean offers his analysis of the good and bad in the leading cybersecurity proposals being considered by Congress.
For cybersecurity geeks, the good news is that there are numerous cybersecurity bills under consideration in both the House and Senate. Congressional attention on cybersecurity is good, but the proposed laws must address the issues at hand, and should not add more regulatory burden at the expense of implementing substantive cybersecurity practices today. Here are some of the laws currently wending their way through the legislative gamut.
H.R. 451: Safe and Secure Federal Websites Act of 2015
Summary
This bill would prohibit a federal agency from deploying or making available to the public a “new Federal PII Website” until the CIO certifies to Congress that the website is fully functional and secure. A “new Federal PII website” is one that handles PII, and was deployed on/after Oct.1, 2012. The act also requires notification of intrusions: individuals must be notified in 72 hours or less, and “cyber security centers” must be notified “in a timely fashion.” Also, the agency head must report annually to Congress on compliance.
Assessment
Federal systems are often overburdened with compliance requirements, both before and after system deployment. These requirements don’t always contribute to improved security and can drain resources from more substantive security efforts. And for the requirement to notify the “cyber security center” in a “timely fashion” to be effective, clearer definitions of “center” and “timely” are required.
Summary
This bill would require “certain agencies” (unspecified) to conduct security assessments of data centers and develop data center consolidation and optimization plans to achieve energy cost savings. The bill anticipates that many agencies will move to cloud platforms to meet this requirement and therefore requires compliance with the GSA’s Federal Risk and Authorization Management Program (FedRAMP) and with NIST guidance. The Director of National Intelligence may waive the requirements of this act for any element (or component of an element) of the intelligence community.
Assessment
This bill appears to basically require what has already been mandated and provides a loophole to the intelligence community (IC). There is little to recommend here.
H.R. 1764: United States Chief Technology Officer Act
Summary
This bill would designate a U.S. chief technology officer with a huge portfolio. As might be expected, the cybersecurity-specific tasks include promoting security and privacy protection. The bill would also require the CTO to prepare an annual report of all federal websites with third-party embedded tools. The report would have to identify each embedded tool, its owner and the data it collects. The CTO would have to address effects on cybersecurity and consumer privacy, including whether each website provides prominent notice to consumers about the presence of the tool and whether the consumer may opt-out of the tool.
Assessment
With such a charter, and for this CTO position to be effective, it would need to be supported by a staff of sufficient size and technical expertise. The portfolio covers an enormous range of duties, but the cybersecurity provisions are narrow and specific. A lack of a staff would reduce this position to a mere figurehead, while the odd combination of a broad overall portfolio with overly specific cybersecurity responsibilities would make the position less viable. A U.S. CTO is a good idea, but it needs proper support and a better defined list of duties.
H.R. 1731: National Cybersecurity Protection Advancement Act of 2015
Summary
Except for the Defense appropriations bill, this is the largest and most complex of the cybersecurity bills presented here. The bill passed the House on April 23, and is now in the Senate. This comprehensive bill includes the following:
It would vastly expand the Homeland Security Department’s National Cybersecurity and Communications Integration Center’s (NCCIC) membership, authority and responsibility with broad mandates to safeguard data. It would also work with the chief privacy officer to follow appropriate privacy procedures.
The NCCIC’s functions would include cybersecurity partnerships with various entities (foreign nations, businesses, other private-sector organizations and state/local governments), information sharing across critical infrastructure, participation in exercises run by DHS’s National Exercise Program, developing capabilities to use industry standards to implement automated mechanisms to share indicators and defensive measures. The bill includes legal protections – immunity from antitrust laws and requirements to monitor and track the status of privacy and civil liberties efforts – for information shared by and with the government for cybersecurity purposes.
The bill generally requires the NCCIC to improve public safety communications, including public service announcements and voluntary best practices. DHS would also be required to train state and local first responders and officials to prepare for and respond to cyberattacks, help states and communities develop information sharing programs and coordinate with the National Domestic Preparedness Consortium to incorporate cybersecurity emergency responses into existing state and local emergency management functions.
The bill would authorize federal agency heads to disclose to the DHS Secretary all information traveling to, from or stored on a federal agency information system and allows a private entity to assist the secretary in carrying out such activities. It would also authorize the secretary to investigate criminal computer fraud, imminent threats of death or serious bodily harm and serious threats to minors. Lastly, the bill would provide liability protections to private entities that provide assistance to the secretary for such purposes.
DHS would have to report to Congress with recommendations to mitigate cybersecurity vulnerabilities for 10 U.S. ports at greatest risk. It would also authorize DHS to consult with the private sector to submit to Congress a report on how to align federally funded cybersecurity research and development activities with private sector efforts.
The act would terminate seven years after enactment.
Assessment
All of these ideas are good in theory. However, this act places even more responsibility in the hands of the DHS, which may already be overburdened. (See Senator Coburn’s report on DHS, “A Review of the Department of Homeland Security’s Missions and Performance”). This bill makes sense, but perhaps it could leverage resources outside of DHS.
S. 456: Cyber Threat Sharing Act of 2015
Summary
This bill would allow the NCCIC to provide and receive threat information, in real time, to and from private entities. Private entities could share information with the government with little fear of legal repercussions and could share such information with other entities only for system protection, threat identification/mitigation, or crime reporting. It also would let DHS choose a private entity to define best practices for sharing and analyzing threat information. Organizations sharing threat information receive liability protections if they “self-certify” that they abide by these best practices.
To limit abuses, the DHS would have to develop polices to
- anonymize and destroy information likely to identify specific persons.
- use threat information only to protect information systems or to investigate or prosecute crimes, threats or conspiracies.
- preserve confidentiality of proprietary information.
- penalize federal employees who violate these policies.
Assessment
These ideas are all good, but they seem to overlap with the National Cybersecurity Protection Advancement Act of 2015 described above. Like the more comprehensive law, this bill could further overburden the DHS, (see pp. 81-98 of Senator Coburn’s report on DHS)