The cybersecurity policy realm has reached two important milestones that will help shape the overall U.S. cyberstrategy for years to come. The first is at the Department of Homeland Security and the other is at the National Institute of Standards and Technology.
Congress is largely on the sidelines this year, though some discrete cyberissues may arise. Legislation on “strong encryption” is in the works, but it’s unclear whether that issue can gain traction on Capitol Hill.
The law enforcement community and the technology industry are at odds over whether and how to provide access to encrypted devices in order to fight crime and terrorism. The issue gained new prominence after the terrorist attacks in San Bernardino, Calif.
House Homeland Security Chairman Michael McCaul, R-Texas, and Sen. Mark Warner, D-Va., are planning to unveil a bill this week to create a national commission on encryption policy.
Another draft bill is brewing at the Senate Intelligence Committee that would require tech companies to help access encrypted devices under court order.
But the big bites at cyberpolicy will come from efforts to implement the Cybersecurity Act of 2015, which President Obama signed into law in December, and to continue carrying out the functions of the president’s landmark 2013 executive order on cybersecurity.
DHS and other agencies took an important step last week in implementing the 2015 cyberinformation-sharing law.
The Obama administration, led by DHS, transmitted to Congress four reports on how it will implement info-sharing procedures for government and the private sector, and related privacy protections.
Publication of the guidelines means industry’s long-sought legal protection for sharing cyber threat indicators, a focal point of last year’s congressional debate, kicks into effect.
“The information-sharing reports were received from DHS … and we are currently in the midst of reviewing them,” a congressional source said. “This was their first deadline on the Cybersecurity Act, and while we’re still reviewing, everything appears to be in order.”
Digital privacy groups, which fought a losing battle against the cyberlaw last year, offered mixed reviews of the new guidelines.
“The guidance makes it clear that companies that share personally identifiable information that does not fit within the four corners of the [law’s] complex definition of ‘cyberthreat indicator’ could face liability for doing so,” said Gregory Nojeim of the Center for Democracy and Technology. “Companies would be well advised to have systems in place to remove such personal information before they share these indicators with any federal, state or private entity.”
The American Civil Liberties Union said the guidances revealed dramatic shortcomings in the law.
On a less contentious, but no less complex, note, NIST this week closes a comment period on its framework of cybersecurity standards, which has guided government-industry collaboration on cyber issues since 2013.
The NIST framework has allowed industry to take the lead in places such as the telecommunications industry, with the blessing of regulators.
But regulatory pressures are building across sectors as officials increasingly demand proof that industry’s efforts are actually improving cybersecurity.
The NIST comment period, which closes on Feb. 23, provided an unparalleled opportunity for industry groups to make the case in favor of collaboration and against regulation. The U.S. Chamber of Commerce and trade associations representing all of the critical infrastructure sectors weighed in, as did consultants, tech firms and a wide variety of stakeholders.
Now, the next steps could determine whether federal officials decide to double down and emphasize the voluntary, industry-led spirit of the framework across government, or if regulatory creep will come to dominate the process.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” coming this spring from Rowman and Littlefield.
