Against the backdrop of the latest cyber mega-breach, policymakers recently made advances on two fronts in the campaign to secure cyberspace.
The Senate Intelligence Committee last week unveiled the text of a cybersecurity information-sharing bill that cleared the panel, in secret session, with a 14-1 vote.
The House Intelligence and Homeland Security committees were preparing bills on the same topic, stoking expectations that both the House and Senate could pass major cybersecurity legislation in April.
Off Capitol Hill, a Federal Communications Commission advisory council approved an industry-drafted plan to improve cybersecurity across the telecommunications sector.
This plan is designed to create a “new paradigm” — neither regulatory nor laissez faire — that FCC Chairman Thomas Wheeler has said is essential to meeting the challenges of cybersecurity.
It may be obscure, but the FCC initiative will touch almost every American because it covers wireless service, traditional “wireline” telephones, television broadcasters, cable and satellite providers.
The plan is the most direct effort by an industry sector to employ the framework of cybersecurity standards developed by the National Institute of Standards and Technology.
NIST’s framework, in turn, is the centerpiece of the Obama administration’s strategy to encourage effective, voluntary industry efforts on cybersecurity.
“I can’t emphasize enough the importance of this,” Wheeler said at the FCC advisory council meeting on March 18. “If we don’t take charge of our own protection, we will have done a disservice to our nation.”
Over the past year, Wheeler and his top deputy for cybersecurity, retired Adm. David Simpson, engaged in a “tough love” approach on cybersecurity, always encouraging industry but warning that regulations were an option.
Sometimes the message was appreciated by business, and sometimes it wasn’t. A few congressional Republicans took notice and asked, pointedly, whether the FCC even had the authority to impose cyber regulations.
But in the end, the FCC leadership saluted the industry offering, with Simpson calling the plan a “win-win-win” for the FCC, industry and state and local authorities. Next comes an ongoing effort to demonstrate that the strategy actually works.
Meanwhile, the breach at insurance provider Premera Blue Cross was the latest bad news in cybersecurity.
“Once again a cyber breach has compromised individuals’ most personal information, including the exposure of the health records of up to 11 million Americans,” House Homeland Security Chairman Michael McCaul (R-Texas) said on March 18.
The hack may have gone beyond healthcare data to include exposure of Social Security and financial records.
“This breach underscores the urgent need to move forward with legislation that removes legal barriers for cyber threat information sharing,” McCaul said. “Better information sharing will improve the private sector’s ability to safeguard our personal data and keep hackers outside of our digital health records.”
McCaul, who was set to unveil an information-sharing bill, has already demonstrated an ability to balance privacy and security in cybersecurity legislation. His committee produced cyber legislation last year supported by both the business community and privacy advocates.
“Very few bills can say that,” McCaul said at a Center for Strategic and International Studies event.
The Senate Intelligence Committee last week released text of a bill designed to thread the same needle.
After previous iterations of the Senate Intelligence panel’s work were shredded by privacy advocates and shunned by the Obama administration, the committee has produced a bill that limits liability protection to certain kinds of information sharing, emphasizes privacy protections and makes clear that companies won’t have a green light for offensive “countermeasures.”
Sen. Dianne Feinstein of California, the ranking Democrat on the Intelligence Committee, said 12 privacy amendments were added to the bill during the closed-door markup on March 12.
“We’ve bent over backwards to provide things in this bill that were important” to the Obama administration and privacy advocates, Feinstein said. The committee struck a remarkable balance, according to Feinstein, and “the only way to get this first step done is in a bipartisan way.”
Senate Intelligence Chairman Richard Burr, R-N.C., said he made extensive concessions to get the bill through committee. “The vice chair has stretched me so much I feel like I’ve had cosmetic surgery,” he joked about Feinstein’s advocacy of changes on the privacy issue.
Still, the new bill wasn’t very attractive within the online privacy community, where “cosmetic” changes were dismissed as ineffective.
Groups like New America and the Center for Democracy and Technology said the bill was tilted toward surveillance and law-enforcement purposes, despite stout denials from its sponsors.
Burr and Feinstein said the private sector would share electronic data through a “portal” at the Department of Homeland Security, which has a well-developed “infrastructure” to protect privacy. That’s also the portal the Obama administration wants to use for information sharing.
The Senate Intelligence leaders said data would be scrubbed of personally identifiable information at multiple stages before it went to intelligence or law enforcement agencies.
Would it be enough for the Obama administration?
The White House has some choices, and decisions, to make.
The House seems certain to produce legislation that allows for direct sharing between the private sector and DHS, but also with law enforcement and intelligence entities. That’s anathema to online privacy advocates.
The House, Senate and White House all will soon have work products on the table. It remains to be seen whether even more high-profile breaches are required to force the parties together.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
