For more than a decade, addressing vulnerabilities in our nation’s cybersecurity has been a policy priority for the executive and legislative branches of our government. As technology has rapidly advanced and use of the internet, among other things, has grown , so to has the risk of attacks on critical information technology infrastructure, large-scale invasions of privacy, and the concomitant need for new federal standards and solutions.
This need has merited attention from policy makers because the impact of a serious attack would be debilitating to the nation’s security, economy, public health or some combination of all three. Examples of the types of infrastructure at significant risk for attack are communication networks, power grids, water supply distribution systems, air traffic systems, and banking and financial institutions. Attempts to infiltrate vital U.S. business sectors and government agencies have grown exponentially. The Department of Commerce estimates that in the first quarter of this year, there were approximately 67,000 new malware threats on the Internet every day, a pace more than double the number in 2009.
As these attacks increase, security policy and technological capabilities need to improve in order to address the threats. In recent months, high profile breaches of data at prominent companies like Google and Sony, as well as at the United States Senate and the Pentagon, have elevated the level of concern for both the public and private sectors of our economy. A new study conducted by the Intelligence and National Security Alliance (“Study”) found that those intending to conduct attacks on the vital information technology systems of private businesses have grown so sophisticated that the possibility of a potentially catastrophic attack has increased exponentially. The Study goes on to urge the U.S. government to develop cyber intelligence as a new and better coordinated government discipline that can predict and deter computer-related threats. The Study echoes a finding by the Government Accountability Office in July 2011, which concludes that cyber attacks on the U.S. government are growing more frequent and that the U.S. government has been slow to react despite more than a decade of open and notorious threats.
In the report below, the Public Policy & Government Relations Department at Edwards Angell Palmer & Dodge LLP reviews current cybersecurity policy proposals intended to enhance our nation’s security from a cyber attack and punish wrongdoing, as well as recent proposals intended to set national data breach notification standards and develop public-private voluntary security standards.
Focus of Recent Administrations on Cybersecurity
Advent of the Internet has caused recent presidential administrations to grapple with the issues surrounding cybersecurity. Briefly set forth here are a few prominent examples of such efforts emanating from the administrations of President Clinton, President George W. Bush, and President Obama:
- In 1998, the Clinton Administration recognized the United States’ “growing potential vulnerability” to a cyber attack. In Presidential Decision Directive 63, President Clinton stated his intention to take “swift action” to shore up the nation’s cyber systems.
- Following 9/11 and the creation of the Office and then Department of Homeland Security (“DHS), a 2005 task force established by the Bush Administration reported to President Bush that the “IT infrastructure is highly vulnerable to premeditated attacks with potentially catastrophic effects.” A review, conducted by the Center for Strategic and International Studies in 2008, of the Bush Administration’s work to address these vulnerabilities found that while senior administration officials said that they considered cybersecurity “one of the greatest security challenges the United States faces…” , the nation continued to lack a comprehensive strategy to address the threat and recommended the implementation of a national strategy for cyber space led by the White House. The report also noted that U.S. computer crime laws are outdated and insufficient to combat modern cyber crime.
- Similarly, the Obama Administration has identified weaknesses in our nation’s ability to protect against a cyber attack. A 2009 review of the federal government’s cybersecurity infrastructure found cyber attacks and protecting the nation’s infrastructure was “one of the most serious economic and national security challenges we face as a nation.” Aside from advocating for a comprehensive policy, the review also made a number of short term recommendations that would enhance the nation’s cybersecurity quickly. In January 2011, the National Security Cyberspace Institute published an evaluation of how the Administration was fairing in implementing these recommendations and gave a mixed assessment. The report was highly critical of the Obama Administration’s failure to appoint a cybersecurity coordinator until December 2009, saying that the delay was due to “a number of internal squabbles over authorities, responsibilities and chain of command.” The report was far more positive of the Administration’s work with other nation’s in developing an international cybersecurity policy and its efforts to raise awareness among the public about the threats posed by cybersecurity and the need for a highly trained workforce to combat the threats.
In May of 2011, the Obama Administration sent to Congress a legislative proposal (“Obama Proposal”) intended to lay the foundation for codification of its federal cybersecurity policy. The Obama Proposal (including definitional criteria as noted below) consists of several components that would have significant implications for the cybersecurity practices of major sectors of the economy, including the defense, telecommunications, energy, electric, and banking industries. Below is a very brief summary of some key substantive and definitional provisions of the Obama Proposal:
- National Data Breach Reporting: If a business determines that an intruder has succeeded in a achieving a security breach and gains access to a consumers’ sensitive personally identifiable information, that company is required to notify the affected consumer within one year (if the breach impacts 10,000 or more consumers). Currently, 47 states have various notification requirements. The Obama Proposal is intended to harmonize the breach reporting process and thus contains a preemption provision creating one federal standard.
- Strengthens Existing Law to Prosecute Cyber Crime: Amends the Computer Fraud and Abuse Act (“CFAA”), by making violations of the CFAA predicate offenses to the Racketeer Influenced and Corrupt Organizations Act (“RICO”). The Obama Proposal would also mandate a minimum three-year sentence for cybercriminals who cause or knowingly attempt to cause damage to critical infrastructure that either leads to or would have led to substantial impairment of critical infrastructure computers.
- Creating a Voluntary Assistance Program: The Obama Proposal suggests the creation of a voluntary government assistance program for businesses and state and local governments that suffer a cyber attack.
- Critical Infrastructure Defense: The legislative proposal outlines a system for identifying and protecting the nation’s “critical infrastructure.” The proposal requires operators of identified critical infrastructure to implement cybersecurity plans, and authorizes the DHS to review these operators’ cybersecurity plans, monitor compliance with such plans, and take other actions to ensure that critical infrastructure operators are sufficiently addressing identified cybersecurity risks.
- Cybersecurity Management: The Obama Proposal formally establishes DHS as the agency responsible for executive branch information security, including the authority to implement binding policies and directives relating to information security, review compliance with such policies and directives, and designate an entity to receive reports about cyber threats, incidents, and vulnerabilities.
- Recruitment and Retention of Cybersecurity Professionals: The legislative proposal gives DHS the authority to establish cybersecurity-related positions and set up a scholarship program to ensure that these positions are filled with desirable candidates well-trained in the field of cybersecurity.
In addition to the Obama Proposal sent to Congress in May, the Obama Administration is also pursuing other means (that do not require Congressional approval) to enhance the nation’s cyber space. In June, the Department of Commerce’s Internet Policy Task Force released a report that identified several opportunities for public/private partnerships to strengthen the cybersecurity of companies that use the Internet to conduct business, but are not part of the critical infrastructure sector (and therefore outside of the scope of the President’s proposal). In the report, Cybersecurity, Innovation and the Internet Economy, the Department proposes the establishment of a national but completely voluntary set of codes of conduct to minimize cybersecurity vulnerabilities. For example, the report recommends that businesses use best practices, such as automated security, to counter cybersecurity threats and that they implement the Domain Name System Security (“DNSSEC”) protocol extensions on the domains that host key Web sites. The report also recommends creating incentives for companies to protect against cybersecurity threats. These incentives could include reducing “cyberinsurance” premiums for companies that adopt best practices and openly share details about cyber attacks for the benefit of other businesses.
Recent Congressional Focus on Cybersecurity
Since the terrorist attacks of September 11, 2001, updating data security has consistently been an issue upon which both parties in Congress have attempted to work together. Despite this, enactment of a comprehensive package of meaningful reforms has remained elusive.
To date, the Obama Proposal has not been introduced in either House of Congress. However, in testimony given before the Senate Appropriations Committee on September 7, 2011, Deputy National Security Advisor John Brennan testified that passing cybersecurity legislation should be one of Congress’ top priorities. The Obama Administration’s strong emphasis along with the incidence of several high profile cyber attacks – including Sony, Google, the Pentagon and the U.S. Senate, among others, has led to the introduction of several legislative cybersecurity bills by members of Congress (see below for a description of these bills). Further, in the House, Speaker John Boehner (R-OH) has appointed Representative Mac Thornberry (R-TX) to lead a Republican only task force to review the Obama Proposal and to report back to Boehner in October with its own set of recommendations for a comprehensive cybersecurity bill (“Task Force Bill”). In the Senate, the staffs for Majority Leader Harry Reid and Minority Leader McConnell are working together on a comprehensive bill they intend to have available in the coming months (“Reid-McConnell Bill”).
We expect both the Task Force Bill and the Reid-McConnell Bill to be voted on in their respective bodies of Congress by the end of 2011. Obviously, an overriding factor in determining whether a comprehensive bill will be ready for the President to sign depends on whether the House GOP task force makes recommendations that align closely enough with the Obama Proposal. Should it do so, agreement with the Senate on language should not be difficult.
In addition to the work being done by House and Senate leadership on comprehensive legislation, there are also ten bills in the Senate and seven bills in the House that deal with significant components of the cyber security issue. While it is increasingly unlikely that any of these bills will receive an up or down vote in either the House or Senate, a close examination of the bills (which are listed below) identifies key areas where there seems to be agreement between Congress and the President. Therefore, it is important to note these provisions as they are likely to form the framework of any comprehensive package:
- There is bipartisan support for the creation of a national breach notification standard. Today, 47 states have established notification laws. This has created a tremendous burden on businesses who, after suffering an attack, have had to identify and adhere to each state's myriad rules.
- Another one of President Obama’s proposals that has support in both chambers creates an office within the Executive Office of the President whose sole objective is to monitor and advise the President on cyber security matters.
- There is bipartisan and bicameral support for legislation directing funds to develop new methods of identifying cyber attacks and to train personnel in these methods. The Obama Administration also identified the need for more trained staff.
Below is a brief list of the bills and their sponsors:
- S. 372: Cybersecurity and Internet Safety Standards Act
Sponsor: Senator Ben Cardin (D-MD)
Status: This bill was introduced on February 16, 2011 and referred to the Senate Committee on Commerce, Science, and Transportation.
Summary: This bill seeks to reduce the ability of terrorists, spies, criminals, and other malicious actors to compromise, disrupt, damage, and destroy computer networks, critical infrastructure, and key resources, and for other purposes. DHS will achieve this by encouraging entities in the private sector to develop and enforce voluntary or mandatory minimum cyber security and Internet safety standards.
- S. 413: Cybersecurity and Internet Freedom Act of 2011
Sponsors: Senators Collins (R-ME), Carper (D-DE), and Lieberman (I-CT)
Status: Committee on Homeland Security and Government Affairs held a hearing on the bill May 23rd, 2011.
Summary: Establishes an office in the Executive Office of the President that will advise the President on cyber security issues. The act also establishes a National Center for Cybersecurity and Communications at the Department of Homeland Security (DHS) which will be responsible for leading federal efforts to protect public and private sector cyber and communications networks.
- S. 799: Commercial Privacy Bill of Rights Act of 2011
Sponsors: Senators Kerry (D-MA) and McCain (R-AZ)
Status: This bill was introduced on April 12, 2011 and referred to the Senate Committee on Commerce, Science, and Transportation.
Summary: Would impose new rules on companies that gather personal data - including offering people access to data about them - or the ability to block the information from being used or distributed. Companies would have to seek permission before collecting and sharing sensitive religious, medical and financial data with outside entities.
- S. 813: Cyber Security Public Awareness Act of 2011
Sponsor: Senator Sheldon Whitehouse (D-RI) and Senator Jon Kyl (R-AZ)
Status: This bill was introduced on April 13, 2011, and referred to the Committee on Homeland Security and Governmental Affairs.
Summary: This bill is intended to promote awareness of cyber security. The bill, once enacted, mandates that different government agencies provide information to Congress on what plans exist for prosecuting cyber criminals, reacting to significant private sector incidents, reporting cybercrime to shareholders, regulating critical infrastructure, protecting the information security supply chain, and trying cyber criminals in federal courts.
- S. 1151: Personal Data Privacy and Security Act of 2011
Sponsor: Senator Leahy (D-VT)
Status: Committee on Judiciary held a markup on September 15th, 2011.
Summary: Would require companies to disclose cyber attacks that jeopardize consumers’ personal information. It would also make the concealment of a data breach a crime. The Leahy measure does not give a specific timeframe for making such reports.
- S. 1152: Cybersecurity Enhancement Act of 2011
Sponsor: Sen. Robert Menendez (D-NJ)
Status: The bill was introduced on June 7, 2011 and was referred to the Committee on Commerce, Science, and Transportation.
Summary: This bill outlines a strategic plan to continue funding for National Science Foundation (NSF) scholarships, encourage research and innovation in the field of cyber security at institutions of higher learning, and train future computer security professionals who will use their acquired skills in the federal workforce.
- S. 1207: Data Security and Breach Notification Act of 2011
Sponsors: Senators Pryor (D-AR) and Rockefeller (D-WV)
Status: The bill was introduced on June 15, 2011 and was referred to the Committee on Commerce, Science, and Transportation. Committee hearing scheduled for September 21.
Summary: Would require companies that own or possess data containing personal information to establish “reasonable” security policies and procedures to protect that data. If a security breach occurs, entities would have to notify affected individuals. Consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.
- S. 1223: The Location Privacy Protection Act
Sponsors: Senators Franken (D-MN) and Blumenthal (D-CT)
Status: The bill was introduced on June 16, 2011 and was referred to the Committee on Commerce, Science, and Transportation.
Summary: The bill requires companies that operate smart phones, like Apple and Google, to get permission from users before sharing geo-locational data with third parties.
- S. 1408: Data Breach Notification Act of 2011
Sponsor: Senator Feinstein (D-CA)
Status: Senate Judiciary Committee held a mark up on September 15, 2011.
Summary: Requires notification of consumers when their personal and sensitive identifiable information (including Social Security numbers, passwords, or credit card account numbers) is breached and made available to unauthorized users.
- S. 1434: Data Security Act of 2011
Sponsors: Senators Carper (D-DE) and Blunt (R-MO)
Status: The bill was introduced on July 28, 2011 and was referred to the Committee on Banking, Housing, and Urban Affairs.
Summary: Similar to S. 1408, this bill would require businesses that handle sensitive consumer data, in any electronic or paper format, to implement information security safeguards, investigate security breaches, and notify consumers if their “sensitive account information” or “sensitive personal information” in a readable or usable form is breached.
- S. 1535: The Personal Data Protection and Breach Accountability Act of 2011
Sponsor: Senator Blumenthal (D-CT)
Status: Judiciary Committee held hearing September 7, 2011.
Summary: Would impose new regulations on companies that store online data for more than 10,000 people. These rules would require companies to follow specific storage guidelines and ensure that personal information is stored and protected correctly. Companies that do not adhere to these security guidelines could be subject to financial penalties.
- H.R. 76: Cybersecurity Education Enhancement Act
Sponsor: Representative Sheila Jackson-Lee (D-TX-18)
Status: This bill House Committee on Science and the House Committee on Education and the Workforce
Summary: This bill authorizes the Secretary of Homeland Security, in conjunction with the National Science Foundation (NSF), to establish a program to give grants to institutions with cyber security professional development programs, and establish an E-Security Fellows Program.
- H.R. 174: Homeland Security Cyber and Physical Infrastructure Protection Act
Sponsor: Representative Bennie G. Thompson (D-MS-02)
Status: This bill was introduced on January 5, 2011 and was referred to the House Committee on Homeland Security.
Summary: This bill amends the Homeland Security Act of 2002 to establish a cyber security compliance division in the Office of Cybersecurity and Communications. It requires the Assistant Secretary to chair an interagency working group to develop cyber security requirements for government computer networks and critical infrastructure. It also gives DHS stronger authority to take action against noncompliance, as well as to suggest cyber security requirements for private sector companies classified as critical infrastructure.
- H.R.1136 : Executive Cyberspace Coordination Act of 2011
Sponsor: Representative Langevin (D-RI-2)
Status: Referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Homeland Security.
Summary: Like S. 413, this bill would establish a National Office for Cyberspace within the Executive Office of the President responsible for evaluating and enforcing requirements for federal agencies to protect themselves and the public from a cyber attack. The office would also be charged with insuring that the government purchases the most advanced and secure technology possible, and trains a workforce with the ability to prevent cyber attacks.
- H.R. 1528: Consumer Privacy Protection Act of 2011
Sponsors: Representatives Cliff Stearns (R-FL-6) and Jim Matheson (D-UT-2)
Status: Referred to the House Committee on Energy and Commerce.
Summary: Requires covered entities to alert consumers whenever their personal information is used for a purpose beyond the intended transaction.
- H.R. 1707: Data Accountability and Trust Act
Sponsors: Representatives Rush (D-IL-1), Barton (R-TX-6) and Schakowsky (D-IL-9)
Status: Referred to the House Committee on Energy and Commerce.
Summary: Under this legislation, following discovery of any unauthorized acquisition or access to electronic data containing personal information, businesses would be required to notify the FTC and any resident of the United States whose personal information was acquired or accessed within sixty days. Where notice is required to 5,000 or more individuals, the major credit reporting agencies would also need to be notified.
- H.R. 2096 – Cybersecurity Enhancement Act of 2011
Sponsor: Rep. Michael T. McCaul (R-TX-10)
Status: The bill was unanimously approved by the House Committee on Science, Space, and Technology on July 21, 2011.
Summary: This bill is similar to S. 1152. It outlines a strategic plan that would continue funding for National Science Foundation (NSF) scholarships, encourage research and innovation in the field of cyber security at institutions of higher learning, and train future computer security professionals who will use their acquired skills in the federal workforce.
- H.R. 2577: Secure and Fortify Data Act (SAFE Data Act)
Sponsor: Representative Bono-Mack (R-CA-45)
Status: Approved by Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade July 20, 2011 and is now awaiting mark-up by full committee.
Summary: Would require organizations to notify people affected by a data breach and the Federal Trade Commission (FTC) within 48 hours. The bill would expand the FTC’s powers by giving it authority to levy civil penalties if companies or entities fail to respond to data breaches in a timely and responsible manner.
We are confident that cybersecurity legislation will be taken up and passed by Congress in the near future. Work is currently being conducted in both government and the private sector that will impact greatly the content of comprehensive cybersecurity legislation. In the interim, the Public Policy and Government Relations Group will publish a weekly summary of the developments in cyber security policy, and will continue to monitor these developments closely.