President Obama in his State of the Union address aims to position cybersecurity as a prime area for cooperation with the Republican-controlled Congress, but it remains to be seen whether his three-pronged approach to cyberpolicy lands with a thud on Capitol Hill.
From a handful of words in Obama’s 2012 State of the Union address to a featured role in Tuesday night’s speech, cybersecurity has slowly but persistently pushed its way into the national political discourse.
That’s a function of both the growing threat — from hostile foreign governments, cyber criminals and rogue operators — and increased efforts by lawmakers, federal government officials and industry to spread public awareness of the issue.
Obama issued a widely praised executive order on cybersecurity almost exactly two years ago, and one year later the National Institute of Standards and Technology produced the voluntary framework of cybersecurity standards.
Congress in December passed a handful of bills clarifying government roles and responsibilities in cybersecurity.
Now, the president will ask Congress to move heftier, potentially more contentious legislation: addressing cyber-information sharing between the private sector and government; updating laws to fight cybercrime; and establishing a uniform national standard for notifying consumers when their credit card and other data has been illegally accessed.
There is potential common ground in all of his cybersecurity proposals, while aspects trigger intense policy disagreements.
Republicans and many in the business community will scrutinize the administration’s price for the liability protection that they say is essential to encouraging industry to share “threat indicators” with the government.
Republicans including new Senate Homeland Security and Governmental Affairs Chairman Ron Johnson of Wisconsin say industry should have broad protections as they engage in cybersecurity information sharing.
But privacy advocates who have been in Obama’s corner on many issues immediately came out against the language in the information-sharing proposal.
“Although the administration’s proposal includes some modest privacy improvements … it ultimately falls short when it comes to addressing the significant privacy and civil liberties concerns that come with companies’ sharing more data with the government,” said Robyn Greene, policy counsel at New America’s Open Technology Institute.
Likewise, the privacy community rendered a split decision on the data-breach notification proposal, with some lamenting that it would pre-empt even tougher pro-consumer laws in places like California.
Retailers and the financial sector, frequently at odds over responsibility for consumer data breaches, put out encouraging statements on the data-breach notification proposal.
The trick will be crafting legislative language that doesn’t favor one side over the other, said Stuart Ingis, a partner and leader of the privacy practice at the Venable law firm.
“There has been consensus and a call from many in the business community several years running for data breach legislation,” Ingis said. “This may finally be the year if the bill can avoid being bogged down with data use limitations and questions surrounding what entity is responsible for payment of breaches.”
The president and his aides are emphasizing areas of agreement in cyberpolicy and vowing to work with the Republican congressional majorities.
“I’ve got a State of the Union next week,” Obama said on Jan. 13 as he sat down for the first time with the leadership of the new 114th Congress. “One of the things we’re going to be talking about is cybersecurity,” Obama told reporters.
Obama said of his initial discussions with House Speaker John Boehner, R-Ohio, and Senate Majority Leader Mitch McConnell, R-Ky., on cybersecurity: “I think we agreed that this is an area where we can work hard together, get some legislation done and make sure that we are much more effective in protecting the American people from these kinds of cyberattacks.”
Boehner and McConnell both showed themselves willing and able to find room for cyberlegislation on the House and Senate floor last December. The Republican leaders have stressed their desire to pursue areas of agreement with the White House even as the sides battle it out over the budget, Obamacare and immigration.
The Republican chairmen and Democratic ranking members of the House and Senate Homeland Security panels last week issued a joint release pledging to work together and with the White House to pass cyberlegislation.
“It is essential that any information-sharing bill strike an appropriate balance between the ability to share necessary data and to protect privacy and civil liberties,” said Senate homeland security ranking member Tom Carper, D-Del. “Congress must act quickly to bring forth information-sharing legislation in the face of the growing and evolving cyberthreat, and the President’s proposal … is an important part of that effort.”
Republicans were gracious as well, but also took a dig at the White House.
“While it took an attack on Hollywood for the President to re-engage Congress on cybersecurity, I welcome him to the conversation,” said House Homeland Security Chairman Michael McCaul, R-Texas. “My committee is currently working on cybersecurity legislation to remove any unnecessary legal barriers for the private sector to share cyber threat information.”
The new House intelligence chairman, Rep. Devin Nunes, R-Calif., also put out a statement welcoming the president’s contribution and promising close consideration.
Still to come are decisions on which lawmakers and committees will lead on information sharing, breach notification and the other issues — and whether policy makers can make substantial progress before the inevitable next major attack.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
