A Review of Attempts at Cybersecurity Legislation and the Obama Administration's Administrative Actions
Cyber attacks and security breaches have become an increasingly significant risk of doing business. During the first quarter of 2013, numerous social media sites and iconic news media outlets, including Facebook, Twitter, The New York Times, and The Wall Street Journal, announced incidents of targeted cyber attacks that put the privacy of their customers at risk. Criminal groups have learned that there is money to be had in the "profession" of cyber hacking. Cybercrime is now a multimillion-dollar industry serving those interested in buying and selling stolen personal data. The impact on businesses is staggering: In 2012, cybercrimes cost U.S. companies an average of $8.9 million. When factoring in, among other things, cybersecurity insurance, lost business opportunities, lawsuits, and mitigating adverse publicity, costs can quickly accrue. As a result, some companies have also seen the merits of enlisting well-intentioned hackers to identify system vulnerabilities. In 2012, Google announced that it was willing to pay up to $1 million in rewards to those who were able to hack its Google Chrome browser. The well-known search engine explained that it wanted to test Google Chrome's strength against cybercrime and identify any existing security flaws that could be fixed.
An absence of federal legislation and cybersecurity infrastructure has forced companies like Google to resort to such unusual measures in the war against cyber attacks and cybercrime. While most companies understand that their value is oftentimes tied to how well they keep consumers' information secure, they have, for years, been awaiting Congress' action in implementing heightened private sector/public sector cooperation and even cybersecurity regulation—that will not leave them bankrupt in the process. For the past several years, Congress has been unsuccessful in its attempts to adopt cybersecurity legislation that appeases both the corporate community and civil liberty groups. A heated debate has arisen concerning the best ways to regulate cybersecurity. While companies welcome input from the government about cybersecurity issues and efforts to combat cybercrime, they cringe at the notion of reporting obligations and mandates that require them to purge personal user information before sharing data concerning cybercrime threats with government entities. Instead, companies are demanding immunity from civil suits stemming from the disclosure of personal information during mandatory information sharing. Business owners are also weary of government involvement in the creation and implementation of business practices. On the other side of the debate lie technology-focused lobbying groups that dislike the promotion of information sharing without the burden of first cleansing data of all personal user information. They also reject the idea of an internet "kill switch" that would give government the power to shut down the internet in the event of a national emergency.
For years, Congress has failed to resolve the mandatory regulation versus voluntary cooperation debate. As a result, the business community has been left with the responsibility of protecting sensitive consumer data without governmental support or direction. Many believe 2013 will be the year of passage of the first cybersecurity law. This White Paper provides a review of failed prior legislative efforts, starting first with the Cybersecurity Act of 2010. This White Paper also provides a review of the Obama administration's approach to cybersecurity without legislation, namely: the Obama administration's Executive Order on cybersecurity and the measures it is taking to share governmental information about cyber threats with the corporate community.
The Cybersecurity Act of 2010
In April 2009, Democratic Senator John D. Rockefeller IV introduced the Cybersecurity Act of 2010. Senators Evan Bayh, Barbara Mikulski, Bill Nelson, and Olympia Snowe cosponsored the bill. Senator Snowe was the only Republican among the bill's sponsors. The fairly expansive and comprehensive legislation focused on creating guidelines and regulations for cybersecurity in both the public and private sectors. The proposed legislation placed significant reporting and compliance requirements on public companies and authorized the President to initiate rulemaking for "critical infrastructure information systems"—information systems considered so vital to the United States that their debilitation or destruction would have crippling effects on the nation's safety and security. Further, the bill charged the President to design a comprehensive national cybersecurity emergency plan. The proposed bill gave the President power to employ what would be known as an internet "kill switch" as part of the mandated cybersecurity emergency plan. This "kill switch" would allow the President to shut down certain portions of the internet in cases of national emergency.
The notion of the internet "kill switch" stirred opposition against the bill, creating concerns that it gave the President too much discretionary power and infringed on civil liberties. Critics also argued that the bill required an unwarranted increase in government spending and contained a number of measures that were both disruptive and detrimental for the cybersecurity industry. The reporting and compliance requirements on the private sector were also feared to have the same effect as the "security frameworks" provision in Sarbanes-Oxley, which burdened publicly traded companies with extensive documentation and expenses related to ensuring compliance. As a result of these reporting requirements, the private sector believed it was being overregulated and underfunded. In the end, the bill never received widespread support and ultimately died in the Senate Commerce, Science, and Transportation Committee.
The Protecting Cyberspace as a National Asset Act of 2010
On June 10, 2010, Independent Senator Joe Lieberman of Connecticut introduced the Protecting Cyberspace as a National Asset Act of 2010. The bill was cosponsored by Democratic Senator Thomas Carper and Republican Senator Susan Collins. The proposed legislation again directed the President to create a cybersecurity emergency plan that included the authority to seize control of, or even shut down, portions of the internet. In an effort to allay fears that the bill provided the same controversial discretionary power for a presidential "kill switch" as that described in the Cybersecurity Act of 2010, Senators Lieberman and Collins issued a press release stressing that the bill only affected critical infrastructures—not the entire scope of the internet. The press release failed to subdue critics' concerns, who warned that the bill created the potential for absolute power.
The proposed legislation also required private companies, like broadband providers, search engines, and software firms, to comply with any emergency measures established by the Department of Homeland Security. Failure to comply meant facing hefty fines. In addition, the new bill called for improvement to the nation's cybersecurity framework by establishing national committees on cybersecurity. It also directed the President to appoint a single director of cybersecurity to oversee infrastructure implementation and national policy.
What most differentiated this bill from its predecessor was its focus on business protections. The bill granted companies immunity from civil suits when they could show that a federal regulation or command caused a programming error that resulted in damage to customers. Companies would also receive indemnification from the federal government when the harm caused to customers was the result of a federal emergency order.
This time, the need for greater regulation in the private sector contributed to the bill's failure. In an effort to avoid the backlash against the reporting requirements contained in the Cybersecurity Act of 2010, the new bill shifted much of the burden from the private sector to the public sector by creating regulations and requirements that affected only the federal government. While the bill tried to alleviate the financial burdens that would be placed on private industry, it was then criticized for leaving the private sector underregulated. Critics again attacked Congress for its failure to find a "sweet spot" between the business community and privacy interests.
Critics, including the nation's largest technology-focused lobbying group, were also focused on the possibility of another internet "kill switch." Despite receiving bipartisan support from Democratic Representative Jay Rockefeller and Republican Representative Olympia Snowe, the bill failed to gain widespread support.
International Cybercrime Reporting and Cooperation Act
The International Cybercrime Reporting and Cooperation Act was introduced by Democratic New York Senator Kirsten Gillibrand in August 2011. Gillibrand's proposed legislation focused on cybersecurity efforts overseas as it addressed multilateral efforts to prevent and investigate cybercrime on an international level. The bill required the President to provide an annual presidential report to Congress that discussed foreign countries' use of information and communications technologies ("ICT") and their responses to cybercrime on a domestic and international level. The bill also promoted foreign assistance to potential cybercrime havens by requiring the President to develop programs designed to combat cybercrime abroad in countries with low ICT levels. Further, the bill directed the President to identify countries of cyber concern and impose restrictions on those countries that failed to comply with appropriate benchmarks.
The internationally focused bill was referred to various subcommittees, including Foreign Affairs, Ways and Means, and Financial Services, but it ultimately fell victim to subcommittee debate and, like other attempts at cybersecurity regulation, never moved past the committee stage.
The Cybersecurity Act of 2012
On February 14, 2012, Independent Senator Joe Lieberman made yet another attempt at cybersecurity legislation through the introduction of the Cybersecurity Act of 2012. Republican Senator Susan Collins and Democratic Senators Dianne Feinstein, John Rockefeller, and Sheldon Whitehouse were cosponsors. Unlike its predecessors, the bill's directives were aimed at federal agencies, instead of the President. The bill also aimed to protect critical U.S. infrastructure through joint collaboration between the government and the private sector.
The proposed legislation directed the Secretary of Homeland Security to consult with owners of critical infrastructure and formulate an action plan to protect the nation's critical systems. The bill also asked federal agencies to adopt best practices that would motivate employees to demonstrate leadership in cybersecurity. Further, it required the Department of Homeland Security to coordinate with private sector and academic experts to develop risk management strategies. The expansive legislation also touched on education programming. The bill required the development of new education and recruitment programs and directed the Secretary of Education to develop curriculum standards to include cybersecurity issues from elementary school through higher education.
The Cybersecurity Act of 2012 encountered strong opposition from Republican senators, including Senator John McCain, who sided with the U.S. Chamber of Commerce. Opponents largely consisted of business leaders, who argued that the bill's regulations intruded into private business operations, thereby increasing private sector costs. While businesses believed the bill gave the government too much power in regulating their own security, supporters of the bill contended that there could be no guarantees that companies would self-regulate if left to their own devices. Republicans promptly initiated a filibuster in the Senate, and thus there was never a final vote on the measure.
President Obama's Executive Order: "Improving Critical Infrastructure Cybersecurity"
Frustrated with Congress' lack of progress in adopting cybersecurity legislation, President Obama identified cybersecurity among the top issues to address in his second-term agenda. On February 12, President Obama issued an Executive Order titled "Improving Critical Infrastructure Cybersecurity." The Executive Order was signed just hours before the President's State of the Union Address, in which he again highlighted the need for a cybersecurity framework.
The Executive Order dramatically broadened existing information sharing programs, making it easier for private companies in control of the nation's critical infrastructure to share information about cyber attacks with the government.
Section 9(a) of the Executive Order provides that within 150 days, i.e., by July 12, the Secretary of Homeland Security "shall use risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, e-commerce security, or national security." The Section includes a carve-out for "commercial information technology services." Section 9(e) provides that the Secretary is to notify confidentially the owners and operators of critical infrastructure of their designation as such and shall provide to them the basis for that determination. The owner and operators may request reconsideration.
Section 2 of the Executive Order defines the key term "Critical Infrastructure" as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Debates have already broken out and lobbying commenced regarding which firms will be found to provide "critical infrastructure" and which firms will be exempt "commercial information technology service" providers. For example, telecommunication service providers such as AT&T and Verizon have questioned why firms that provide digital services—such as Google, Apple, and Microsoft—should be exempted. Marcus Sachs, Vice President of National Security Policy for Verizon, argues that email is "critical infrastructure": "If email went away this afternoon, we would all come to a stop. Hell yeah, email is critical." Others add that it is not realistic to expect to protect telecommunications "critical infrastructure" unless information technology products that use telecommunications networks are also considered because hackers will naturally attack the weakest link in any network.
Section 7 provides that the Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology to lead the development of a framework to reduce cyber risks to critical infrastructure (the "Cybersecurity Framework"). The Director is ordered to publish a preliminary version of the Cybersecurity Framework within 240 days, i.e., by September 30. The final version is due within one year, i.e., by February 12, 2014.
Section 8 directs the Secretary of Homeland Security to establish a "voluntary program" to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested parties. In particular, Section 8(d) directs the Secretary to "coordinate establishment of a set of incentives designed to promote participation in the program." Section 8(e) provides that the Secretary of Defense and Administrator of General Services, in consultation with the Secretary of Homeland Security and the Federal Acquisition Regulatory Council, shall make recommendations to the President and others "on the feasibility, security benefits and relative merits of incorporating security standards, into acquisition planning and contract administration."
Under Section 10(a), within 90 days of publication of the preliminary Cybersecurity Framework, i.e., by December 29, various federal agencies are directed to issue a report to the President "that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required." Under Section 10(b), if current regulatory requirements are deemed insufficient, then within 90 days of the publication of the final Cybersecurity Framework, i.e., by May 13, 2014, the agencies are directed to propose risk-based, efficient and coordinated actions to mitigate cyber risks. Under Section 10(c), within two years after the publication of the final Cybersecurity Framework, the agencies are directed, "in consultation with owners and operators of critical infrastructure, [to] report to CMB or any critical infrastructure subject to ineffective, conflicting or excessively burdensome cybersecurity requirements."
In an effort to address the fact that Executive Orders generally lack any actual legal enforcement, President Obama offered incentives to companies to voluntarily adopt the standards initiated under the Cybersecurity Framework. Despite this work-around, critics argued that the Executive Order failed to provide companies with sufficient protections that would induce any voluntary cooperation. Private companies willing to participate faced a significant risk: Information sharing with the government could lead to additional liabilities and lawsuits because the data that would be given to the federal government could include private information from customers. As a result, critics questioned whether companies will participate without additional protections and safeguards, such as legal immunity from civil suits. Regardless, analysts predicted that the President's Executive Order would serve as the starting point for congressional action on meaningful cybersecurity legislation.
On February 12—the very same day that President Obama issued his Executive Order on cybersecurity—Republican Representative Mike Rogers and Democratic Representative Dutch Ruppersberger introduced the Cyber Intelligence Sharing and Protection Act ("CISPA"). The proposed bill required the Director of National Intelligence to establish procedures that would allow the federal government, including the intelligence community, to share cyber threat information with the private sector. Upon receipt of such information, private entities would thereafter be prohibited from further disclosure of the cyber threat information to third parties. The bill also allowed companies to pass user information to the federal government and absolved private sector firms of the responsibility or requirement to remove personal information before sharing it with the government. Further, CISPA provided broad legal immunity to companies that collected and shared inaccurate cyber threat information, as long as they were able to prove that the information was provided in good faith.
Allowing companies to pass unsanitized user information to the government, however, stirred significant outcry from civil liberty groups, which argued that the bill could lead to significant violations of privacy rights. The broad grant of immunity to cooperating companies also initiated opposition from the White House. The administration argued that the scope of liability protections granted to businesses was too broad and that more targeted liability protections were needed. On April 18, the House of Representatives passed CISPA with a vote of 288–127, despite strong opposition from privacy advocate groups and a veto threat from the White House.
Currently, CISPA's future looks grim as it sits stalled in Senate subcommittee. Privacy rights lobbying groups and internet activists have come together in strong opposition of the bill, declaring a violation of privacy rights. Outspoken Democratic senators, like Jay Rockefeller of West Virginia, have vowed to fight the bill and prevent its passage. Understanding and accepting the bill's likely demise, both Senator Jay Rockefeller and Georgia Republican Senator Saxby Chambliss have decided to "start from scratch," and are working on new legislation aimed at bridging the gap between corporate interests and privacy rights.
While legislators continue to search for the seemingly elusive balance between effective cybersecurity regulation, business interests, and privacy protections, businesses are left to fend off cybercrimes on their own. As cybercrimes increase, businesses will be forced to focus their attention and resources on collateral business obligations, rather than the promotion of their respective services and products. Google illustrates one of the most innovative ways in which to engage the battle against cybercrime, and it also underscores the importance of cybersecurity. In an effort to avoid the unwanted costs and distractions associated with data breaches, businesses must now make it a priority to be vigilant in their efforts to combat cybercrime. The first steps in establishing proper cyber protections should begin with conducting risk assessments to identify system vulnerabilities. Identifying internal weaknesses will assist businesses in establishing internal policies and protections that will strengthen their security measures and fortify their data.
Further attempts at passing cybersecurity legislation are expected for the remainder of 2013. In order to successfully do so, Congress will need to offer substantive guidance to those businesses seeking ways to improve their cybersecurity without overstepping in internal business management and day-to-day operations. Further, it will need to find equilibrium between business interests and privacy protections. Until effective cybersecurity legislation comes to fruition, businesses must understand that it is up to them to protect their consumers, and their ultimate bottom line.
Banking Regulators Urge Banks to Take Action
U.S. regulators are not waiting on Congress to take action to combat cyber attacks. For example, federal officials and the banking industry are preparing for a major cyber "war game" exercise titled "Quantum Dawn 2" involving banking regulators, the Department of Homeland Security, and major banks and securities firms represented by the Securities Industry and Financial Management Association. Moreover, Treasury Department officials and other officials have been conducting classified and nonclassified briefings with bank officials. Finally, federal financial regulators are advising bank executives to change the way they think about cyber attacks and to consider them as they do more traditional risks, such as credit and interest rate risk, when they make strategy decisions. Taking it a step further, federal regulators are telling banks that they will be judged on their preparations against cyber attacks when regulators evaluate their operational risks.
The advice and warnings that federal financial regulators are now providing to bank executives should be heeded by all private sector firms. While the private sector should remain involved in congressional attempts to pass cybersecurity legislation, it should not wait on legislation to take action. The risks are simply too great.