The “belly button” of cybersecurity policy this year shifts from Capitol Hill to the departments of Homeland Security, Justice and other warrens of the federal bureaucracy charged with implementing a new cyberlaw.
Congress will try to address cybersecurity in some fashion, though insiders acknowledge a certain cyberpolicy fatigue after the multi-year campaign to pass information-sharing legislation. That effort culminated with President Obama’s signature on the new law on Dec. 18.
Of the issues that Congress could consider, data-breach notification has been kicking around the longest.
Staffers on the House Financial Services and Energy and Commerce committees have begun “very tentative” discussions on reconciling rival data-breach notification bills that would replace a patchwork of state laws with a uniform federal standard.
Industry groups broadly support that goal, but the consensus unravels when it comes to the related security standards companies would have to employ to protect consumer data.
The banking sector wants to see retailers and others covered by the same kind of data security standards that financial firms already face. Retailers disagree.
“Haphazardly slapping rules that were written 15 years ago for the financial industry on retailers, restaurants and thousands of small businesses is not the kind of data security legislation that will safeguard our economy,” the Retail Industry Leaders Association said in a statement last month. “This is red tape masquerading as security.”
“There is a desire by both committees to reach a compromise and there is a modest chance for some movement in the House,” according to a source close to the financial sector. “Can the chairmen set aside jurisdictional issues to produce a compromise product? The chances are better than zero.”
That’s at least a sliver of potential sunshine. In the Senate, the issue is not front-of-mind for the Banking, Commerce or Judiciary committees that share jurisdiction.
“It’s a dicey issue politically, though it shouldn’t be,” said the financial sector source. “It should be viewed as strong pro-consumer legislation, but it got caught up in an inter-industry fight and the jurisdictional fight on the Hill.”
Said another lobbyist who doesn’t represent either banking or retail: “Data-breach legislation probably gets more attention this year, but I don’t see a tipping point in the immediate future.”
Away from Capitol Hill, industry lobbyists will be closely watching how the federal bureaucracy implements the new cybersecurity law.
“We’re focused on implementation. We want to ensure it’s consistent with the law,” an industry source said. “That could be number one for us at least for the first quarter of 2016. It will be interesting to see who owns what at each department.”
Within 60 days of enactment of the Cybersecurity Act of 2015, Homeland Security and Justice must jointly develop guidance on how private entities voluntarily share threat indicators with the government, issue guidelines to promote sharing and offer interim guidance on civil liberties and privacy protections.
The director of national intelligence, along with DHS, DOJ and the Defense Department, must produce procedures within 60 days for how threat indicators are shared among agencies and with the private sector.
Final versions are due in June. By mid-March, DHS must certify to Congress that it has the capacity to receive and share threat indicators.
“The attorney general and secretary of Homeland Security are responsible for jointly producing six sets of guidelines in consultation with other agencies and in coordination with the National Security Council,” a DOJ spokesman told InsideCybersecurity.com. “This process is underway.”
The criminal division at the Department of Justice is taking the lead in writing the guidances, according to sources, while the responsibility also falls to a number of offices at DHS.
“It’s nice to have these policies and procedures coming out in an election year,” the industry source said. With Congress’ attention elsewhere, look for the business community to focus its cybersecurity advocacy efforts on the executive branch.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
