Cybersecurity is a front-of-mind topic in the new 114th Congress, and key players on and off Capitol Hill are hoping to broaden the conversation to engage the public and to begin tackling issues such as how to pay for security upgrades desperately needed to protect U.S. industry.
Sen. Ron Johnson, R-Wis., the new chairman of the Senate Committee on Homeland Security & Governmental Affairs, believes a public “root-case analysis” is necessary to better inform both his congressional colleagues and voters about the nation’s cybersecurity challenge.
“We need to get this issue out of the weeds,” Johnson said in an interview. “We need to properly identify the problem — do a root-cause analysis. Let’s make sure we understand how serious the cybersecurity problem is.”
The massive hack of Sony Pictures convinced many that the moment is right to pass a controversial, industry-backed bill on cybersecurity information sharing.
Johnson and other leaders of the congressional homeland security and intelligence committees are promising to do just that early in the new term.
“We haven’t taken the first step on cybersecurity: liability protection to allow information sharing to happen. … Every ounce of testimony we’ve received shows this is the first priority,” Johnson said.
House Homeland Security Chairman Michael McCaul, R-Texas, flagged the same issue.
“This year, I will lead a renewed effort to further protect our nation’s most critical networks from cyber attacks and build on the foundation laid by the enactment of five new cybersecurity laws I shepherded last Congress,” McCaul said last week. “My committee is currently working on cybersecurity legislation to better prevent, detect and respond to this threat and to remove any unnecessary legal barriers for the private sector to share cyber threat information.”
Cybersecurity professionals and industry leaders desperately want that legislation, even as some make clear that by itself it won’t be enough.
Information-sharing measures that passed the full House and the Senate Intelligence Committee in the 113th Congress were “good bills but relatively narrow,” said Larry Clinton, president and CEO of the Internet Security Alliance. “We need to do much, much more than information sharing.”
Clinton, like Johnson, believes Congress must “elevate its overall knowledge” of cybersecurity issues.
“Too many on the Hill think this is a technical issue dealing with the loss of credit card information,” Clinton said. “We have much deeper problems that are much more systemic. … The core problems are more economic than technical. But we haven’t had a single hearing on the economics of cybersecurity or developing appropriate incentives models.”
The Obama administration is looking at the incentives question, which the president called for in a 2013 executive order.
The departments of Treasury, Commerce and Homeland Security issued reports on possible incentives, although many in industry believe the administration has been slow to act on the recommendations. Administration sources privately say more on possible incentives could be released in coming weeks.
The issue has been a hot topic of discussion in public and closed-door settings as the administration works to promote the voluntary framework of cybersecurity standards developed by the National Institute of Standards and Technology.
Incentives for companies to use the framework will be “part of an ongoing conversation … a living process,” said NIST’s Adam Sedgewick. He pointed to the Commerce Department incentives report as “still pretty consistent” with what government officials and others believe would be effective.
Commerce cited reductions in cyber insurance premiums, tort liability limits, grants, regulatory streamlining and procurement advantages as possible incentives for industry to use the NIST framework.
The department recommended against using tax breaks to encourage cybersecurity improvements. Clinton and other industry representatives have praised a tax incentives bill offered last year by Sen. Kirsten Gillibrand, D-N.Y.
“The goal of incentives will be to help companies better manage risk,” Sedgewick said. “Incentives have to be tailored to meet those goals.” Continuous use of the framework should reveal the type of incentives that would be most appropriate, he said.
Clinton, meanwhile, said he was encouraged by the new faces in Congress who will take the lead on cybersecurity. Johnson, for instance, reached out to industry when he first came to the Senate in 2011 and has been engaged on the issue ever since, Clinton said.
Johnson, a businessman, said he would use his new position to promote regulatory and liability relief for industry. He suggested that one of government’s best moves would be to stay out of the private sector’s way.
“I believe business wants to secure their networks, they already have the incentive,” Johnson said. “The government can’t tell them how to do it. The federal government doesn’t have the capacity for staying ahead of the curve.”
In the House, freshman Rep. John Ratcliffe, R-Texas, is the new chairman of the Homeland Security Committee’s cybersecurity panel. Ratcliffe is little known among industry leaders but also favors a pro-business approach to cybersecurity.
“As the subcommittee chairman, my top priority will be the protection of our nation’s critical infrastructure from cyber attacks and to provide strong solutions to diminish cybersecurity threats against America that incorporate a limited-government approach that does not add to our budget deficits,” Ratcliffe said.
Interest in taking a broad look at cybersecurity policy is apparent in the new Congress, and the order of battle for addressing the issue should come into focus relatively quickly.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
