Guest Post on Cybersecurity Legislation from Chris Bronk

What follows is a guest post from Chris Bronk, Information Technology Policy Fellow at Rice University’s Baker Institute for Public Policy. He’s a new member of USACM, but the post reflects only his thoughts on the Cybersecurity Act of 2012, and not necessarily those of USACM.

Digesting the New Senate Cybersecurity Legislation

by Chris Bronk

Senators Joe Lieberman, Susan Collins, Jay Rockefeller, and Diane Feinstein introduced another cybersecurity bill in the U.S. Senate on February 14. “The Cybersecurity Act of 2012,” or S.2105, is yet another attempt by the Senate to bring to a vote a major piece of bipartisan legislation on information and communications security. There have been several efforts to produce new law on this front, but debate has often mired on serious sticking points. The “Internet kill switch,” where the President would have the authority to close off the Internet, standing as perhaps the most rhetorically threatening of them. There is no kill switch in S.2105.

Within S.2105, a broad set of issues was considered of interest to the federal government, the IT industry, and the operators of critical infrastructure. The bill lays out some pragmatic planks for determining responsibilities beyond the federal government, further bulking up national cyber security capabilities, and offering a roadmap for regulation of cyber security responsibility.

Significantly, S.2105 emphasizes the Secretary of the Department of Homeland Security (DHS) as the lead official on cybersecurity matters, with the usual exceptions for agencies in the Department of Defense and Intelligence Community. DHS has gradually grown a capability in cybersecurity, and S.2105 would expand it, combining the functions of DHS’s National Cyber National Cyber Security Division, the Office of Emergency Communications, and the National Communications System into a single National Center for Cybersecurity and Communications. Presumably, this new center would operate in a manner similar to the Office of the Director of National Intelligence’s inter-agency function-specific centers, such as the National Counter Terrorism Center.

Beyond the national center, S.2105 addresses another issue of great importance, the vulnerability of critical infrastructure – in both the public and private sectors – to cyber attack. The legislation lays out a process for designating critical infrastructure, assessing risks to it and “promulgat[ing] regulations to enhance the security of covered critical infrastructure against cyber risks.” This component will no doubt attract scrutiny as it assigns responsibilities and assesses liability – and the limitations thereof – with regard to the cybersecurity of critical infrastructure. (S.2105 also lays out standards on criticality, having to do with loss of life, service interruption, and severe economic damage among others).

Other elements of the bill consider the expanded staffing needs and the peculiarities of clearing non-government employees to handle sensitive or classified information. It also considers cybersecurity information sharing issues, reform of the Federal Information Security Management Act (FISMA), and education and R&D initiatives.

This bill may be able to clear previous obstacles and deliver to the President and the Department of Homeland Security the necessary authorities to move beyond piecemeal efforts in cyber security remedy and coordination. The Senate Homeland Security and Governmental Affairs Committee has already held a hearing on the bill, so there is interest in getting this legislation to a Senate vote sooner rather than later.

Has the Cybersecurity Logjam Broke?

Congress has been making noise about passing comprehensive cybersecurity legislation for most of the last two years, prompted in part by the Obama Administration’s cyberspace policy review in 2009. Nearly two years later, the Administration has released a legislative proposal in cybersecurity that may help push legislation further along. Depending on how you count, there are nearly 50 different measures pending in Congress dealing with some aspect of cybersecurity, so a push should help.

The full Administration proposal is available online, as well as section-by-section analysis and a fact sheet. You can also look at specific parts of the proposal (see the May 12, 2011 entries), which are listed below:

  • Changes in criminal penalties for several computer-related or computer-enabled offenses
  • Data Breach Notification requirements
  • Codifies Department of Homeland Security responsibilities for civilian cybersecurity
  • Sets cybersecurity requirements for critical infrastructure systems
  • Updates the Federal Information Security Management Act
  • Some of these topics have been covered in current cybersecurity legislation or bills that were introduced in previous sessions of Congress. So in many cases, there isn’t a disagreement on whether or not a certain law is necessary, but there may be disagreement on exactly how that law should be written. And while the Administration has introduced this legislation in one large package, there is no way of knowing exactly how the package will be handled in Congress. The Senate has a placeholder bill ready to handle a single cybersecurity bill, but it’s just as possible that Congress will seek to move quickly on those bills that already have broad support ahead of new proposals or other proposals that still require negotiation.

    Sony-Prompted Hearing Features Testimony from USACM Chair

    Prompted by the massive data breaches of Sony’s networks, the Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee held a hearing May 3 on data theft and its effects on consumers. One of the witnesses was USACM Chair Eugene Spafford. The committee has a webpage on the hearing, which includes links to an archived webcast and the written testimony of all four witnesses. You can also read Dr. Spafford’s testimony and the USACM press release covering it.

    While Sony and Epsilon (an email marketing company that recently suffered its own data breach) were invited to testify, they declined to appear. This presented an excellent political opportunity for the members of Congress at the hearing, and the subcommittee chair suggested in press reports she may again invite Sony to testify. The witnesses that attended were from two government agencies heavily involved in data breach prevention and investigation – the Federal Trade Commission and the Secret Service, and legal and technical experts that provided useful context to both the recent data breaches, and the longer-term problems in this area (publicly reported data breaches have affected at least 600 million records since 2005).

    The Energy and Commerce Committee has worked on data privacy and data breach legislation in the past, and may try to use the recent breaches to push their legislation further through Congress than they have been able to before. The witnesses all supported some form of data privacy legislation to address not only data breaches and notification, but also effective information security practices. The large majority of these breaches could be mitigated by better implementation of best practices in this area. Many of the questions and answers reflected the long work of this committee in the area, though their questions suggested that companies have not been effective in communicating why they may not be able to immediately notify consumers in the event of a breach.

    USACM Chair to Testify on Data Breaches

    Prompted by the recent data breaches of the PlayStation Network and the email marketing company Epsilon, the Commerce, Manufacturing and Trade Subcommittee of the House Energy and Commerce Committee will hold a hearing this Wednesday, May 4, on data breaches. They have invited USACM Chair Eugene Spafford to testify. His testimony will focus on the technical aspects of holding and managing consumer data securely, and the threats against such information. The hearing will be available online, via the House Energy and Commerce Committee website. A link should be available by the time of the hearing, 9:30 a.m. Eastern on Wednesday. While the Subcommittee has inquired with both Sony (the manufacturer of PlayStation) and Epsilon about their breaches, they are currently not going to attend Wednesdays hearing.

    Hill Tech Happenings, Week of May 2

    May 3


    The House Oversight and Government Reform Committee will hold a hearing on updating the Presidential Records Act to better handle electronic records.
    9:30 a.m., 2154 Rayburn Building

    May 4


    The Subcommittee on Commerce, Manufacturing, and Trade of the House Energy and Commerce Committee will hold a hearing on the threat of data thefts to American consumers. Recent Playstation and Epsilon breaches are likely to be a focus of the hearing.
    9:30 a.m., 2322 Rayburn Building

    The Subcommittee on Intellectual Property, Competition and the Internet of the House Judiciary Committee will hold a hearing on Internet domain name oversight.
    10 a.m., 2141 Rayburn Building

    May 5


    The Senate Energy and Natural Resources Committee will hold a hearing on the economic impact of cyber attacks. The hearing will focus on a discussion draft of cybersecurity legislation focused on the power and electricity infrastructure.
    9:30 a.m., 366 Dirksen Building

    The Subcommittee on Intellectual Property, Competition and the Internet of the House Judiciary Committee will hold a hearing on Internet competition.
    10 a.m., 2141 Rayburn Building

    Policy Highlights from Communications of the ACM – February 2011 (Vol. 54, No. 2)

    Below is a list of items with policy relevance from the February issue of Communications of the ACM. As always, much of the material in CACM is premium content, and free content one month may slip behind a pay wall the next. You need to be a member of ACM or a subscriber to CACM to access premium content online.

    News: Technology
    Chipping Away at Greenhouse Gases, by Gregory Goth
    Review of processor algorithms that could lead to significant cost and energy savings. Also considered are the new research questions posed by the new technologies.

    News: Society
    Following the Crowd by Samuel Greengard
    Discussion of crowdsourcing and how private and public sector organizations have tapped into the phenomenon.

    Viewpoints: Privacy and Security
    Against Cyberterrorism by Maura Conway
    The author argues why cyber-based terrorist attacks aren’t as likely to occur as might be commonly thought.

    Viewpoints: Economic and Business Dimensions
    Household Demand for Broadband Internet Service by Gregory Rosston, Scott Savage and Donald Waldman
    A consumer survey indicates what people are willing to pay for various speeds of Internet service.

    Viewpoints: Education
    From Science to Engineering by Mark Guzdial
    The need for finding and measuring better ways to teach computer science is explored, with comparisons to physics and engineering education.

    Policy Highlights from Communications of the ACM – January 2011 (Vol. 54, No. 1)

    Below is a list of items with policy relevance from the January issue of Communications of the ACM. As always, much of the material in CACM is premium content, and free content one month may slip behind a pay wall the next. You need to be a member of ACM or a subscriber to CACM to access premium content online.

    News: Society
    India’s Elephantine Effort by Marina Krakovsky
    Description of India’s efforts to establish a biometric ID program, in part to do better in delivering government subsidies to the people who are supposed to receive them.

    Viewpoints: Law and Technology
    Google AdWords and European Trademark Law by Stefan Bechtold
    The article reviews recent trademark infringement cases involving keyword searches and what liability Google may have in such matters.

    Cloud Computing Privacy Concerns on Our Doorstop by Mark D. Ryan
    Using the example of conference management systems, the author outlines the risks and benefits of cloud computing services.

    Contributed Articles
    Follow the Intellectual Property by Gio Wiederhold
    While movement of jobs between countries has occupied much attention in policy debates, the article focuses on the associated movement of intellectual property rights.

    Review Article
    A Firm Foundation for Private Data Analysis by Cynthia Dwork
    A review of the technical challenges of Differential Privacy – analyzing database information without disclosing private information about people in the database.

    Administration Issues National Strategy for Trusted Identities in Cyberspace

    Last Friday the Obama Administration released its National Strategy for Trusted Identities in Cyberspace (NSTIC), a plan to leverage private sector tools to make it easier for some kinds of transactions to happen online. This would include both consumer and government transactions, and attempt to establish a system where identity can be confirmed online in a way that is much more certain than what is commonly done online.

    The strategy outlines the establishment of an Identity Ecosystem that would “securely support transactions that range from anonymous to fully-authenticated and from low- to high-value.” This statement recognizes that some aspects of the Internet not only do not need identities to be confirmed to the same extent desired for something like a mortgage contract, but can thrive on anonymity. As the Strategy envisions this Ecosystem, various credentials and other means of authenticating or authorizing a person for certain activities or transactions would be established (likely evolving from some of what’s currently available). These items could then be used when a person seeks to access a number of different goods and services online. One of the selling points to consumers would be that this Ecosystem would reduce the need to maintain a number of different identities and/or passwords to operate on the web.

    While NSTIC envisions the private sector doing a fair amount of work, the government will proceed with establishing an implementation plan and a national program office to coordinate efforts. Arguably it is in the implementation plan, and how well it is followed, that will determine the success or failure of the strategy. In order for there to be trusted identities online, there must be trust in the tools used and in the entities charged with operating those tools. As this usually has required nudging to take place in other parts of the online landscape, it seems unlikely that this strategy will not be successfully implemented without trust.

    Last summer USACM issued comments on a draft of NSTIC. Those comments reflect the concerns expressed above concerning successful implementation and management of this strategy. They still make good sense moving forward with implementation of the Strategy. Issuing this document is the first step in what will likely be a long, multi-year process. It’s not too late to read the Strategy and follow the issue as the implementation plan is developed.

    USACM Vice-Chair Testifies on Challenges of Electronic Employment Verification

    On April 14, Dr. Annie Ant?n, Vice Chair of USACM and Professor in the Computer Science Department of North Carolina State University, testified in front of the Social Security Subcommittee of the House Ways and Means Committee. She was one of the witnesses at a hearing on the Social Security Administration’s role in verifying employment eligibility. Other witnesses included staff from the Social Security Administration, the Government Accountability Office, and public interest groups interested in the issue. You can watch the hearing online.

    Dr. Ant?n’s testimony focused on the effectiveness of E-Verify, an electronic system of employment verification used in a number of states for an increasing number of employers, with over 16 million queries in fiscal year 2010. USACM has testified on E-Verify and/or electronic employment eligibility before, in 2008 and 2007.

    Highlights of Dr. Ant?n’s testimony included:

    • The E-Verify system cannot effectively detect individuals who use stolen or forged identities. A 2009 evaluation of E-Verify found that 54 percent of illegal immigrants checked by the system were incorrectly identified as employment-eligible for that reason.
    • Proper validation and testing of systems prior to widespread use will help minimize the possibilities of failure, which can contribute to additional identity theft and fraud.
    • Mission creep for a system like E-Verify can lead to additional technical issues, leading to cost and/or schedule overruns and increased security vulnerabilities.

    As this is the third time USACM has testified on this issue, it seems likely that the issue will continue to be a concern for Congress going forward.