After a year of interagency coordination and discussions, the Obama Administration recently released a wide-ranging legislative proposal addressing a wide-range of cybersecurity issues. The proposal focuses on mandating the public disclosure of data breaches, regulating the operation of the nation's critical information infrastructure, and imposing standards to secure government computer systems. The proposal, if enacted in whole or in part, may have a major impact on organizations operating any part of the nation's information infrastructure, providing information technology services or equipment to the government, storing sensitive data, or having any involvement in the nation's growing information economy. Congress is evaluating the Administration's cybersecurity proposal as well as considering other legislative proposals on the topic of cybersecurity.
This alert summarizes some of the key areas of interest, concern, and opportunity for the business community in the emerging area of cybersecurity. Congress, particularly the Senate, has been engaged on various cybersecurity legislative proposals for the last year, as described in greater detail below. Stakeholders can expect to see additional hearings on a wide range of cyber-related topics such as data breach notification, data security and infrastructure protection. While comprehensive cybersecurity legislation is unlikely to be adopted this summer, momentum for some cybersecurity legislation is likely to build heading into the fall.
The Administration's Cybersecurity Proposal
The Administration's cybersecurity proposal covers several areas including:
- Standardization of data breach notification requirements at the federal level.
- Toughening penalties for cybercrime.
- Direction and delegation of authority to the Department of Homeland Security (DHS) to: (1) protect civilian federal computer systems; (2) regulate critical information infrastructure; (3) implement cyber-incident response and cyber-threat detection and prevention; and (4) facilitate public-private-sector information sharing.
- Federal Information Security Management (FISMA) reform to formalize DHS's role in securing federal systems and to focus on operational security.
- Federal civilian personnel authorities to facilitate hiring cybersecurity professionals including activation of a government-wide information technology exchange program.
- Prohibition on non-federal requirements for specific locations for data centers.
The business community should take particular note of several of the Administration's cybersecurity legislative provisions - specifically, data breach notification, proposals to delegate to DHS new authority to regulate critical infrastructure, and enhanced DHS authorities to secure federal computer systems.
Data Breach Notification and Related Proposals
The Administration's proposal on data breach notification would establish a national reporting framework for data breach incidents and would authorize the Federal Trade Commission (FTC) to implement the reporting requirements.
- The proposal would apply to entities that handle "sensitive personal identifying information" about more than 10,000 individuals in a 12-month period.
- Subject to certain exceptions, covered business entities would be required to notify individuals should there be a security breach of personally identifiable information.
- The proposal also would require certain business entities to notify designated law enforcement and national security authorities of information related to cybersecurity incidents, threats and vulnerabilities.
- A violation of the data breach notification requirements would be considered an unfair or deceptive act or practice under the Federal Trade Commission Act and would be enforced by the FTC and state Attorneys General.
- The proposal provides for coordination of activity, such as rulemaking and enforcement, with the Federal Communications Commission (FCC) when the activity relates to customer proprietary network information.
- The proposal has a narrow preemption provision that generally supersedes state law relating to notification of breaches of computerized data.
As with other elements of the Administration's proposals, many of the details would be committed to the discretion of the relevant agencies and explained in subsequent regulatory proceedings.
Perhaps not surprisingly, the proposal's data breach notification requirements were met with skepticism at a recent hearing before the House Homeland Security Committee Subcommittee on Cybersecurity. Some participants expressed concern with certain elements of the Administration's data breach notification proposals, which at least one congressman characterized as a public "name-and-shame" framework to promote cybersecurity goals. Rep. Michael McCaul (R-TX) described such an approach as counterproductive, and one witness argued that mandatory public notification of data breaches would discourage organizations from conducting proper cyber-security investigations and monitoring, for fear that they would discover and be forced to publicly announce a breach.
Given the burdens associated with any notification regime and the concomitant desire for certainty, the specific requirements of any data breach notification regime will be critical and are worth watching. Equally noteworthy will be efforts to establish national notification requirements, along with their preemptive effect on additional or different state regimes.
Designation, Regulation, and Protection of Critical Infrastructure
The Administration's proposal would give DHS a lead role and significant new regulatory authority to secure what the proposal refers to as "critical infrastructure" against cyber threats. These proposals, if enacted, could have significant consequences for a variety of U.S. industries and businesses. The proposal would charge DHS with filling in substantial interpretive and policy gaps related to critical infrastructure.
- Covered critical infrastructure operators-defined or identified by DHS-would be required to develop a plan to address cyber-threats and have a third-party auditor, approved pursuant to DHS criteria, assess the plan. The plan would have to "be signed and attested by an accountable corporate officer" and be available for evaluation by DHS.
- The proposal would require annual certifications that plans have been developed and are being implemented. The proposal also would require disclosure of "high-level summaries" of the plans and prompt notification to the DHS Secretary of "any significant cybersecurity incident.
- If the Secretary finds the covered critical infrastructure is not sufficiently addressing the cyber risk, the Secretary may enter "discussions" with the owner or operator and, if unsuccessful in resolving the concern, may "issue a public statement that the covered critical infrastructure is not sufficiently addressing the identified cybersecurity risks."
The process for designating "covered critical infrastructure" subject to regulation would be developed and implemented by DHS. While there are many unanswered interpretive questions, it seems likely that the term could include communications service providers, Internet Service Providers (ISPs), various utilities, the nation's energy grid, and even some manufacturing sectors.
Important questions are being asked about the designation and regulation of critical infrastructure. DHS would be given substantial discretion to craft and impose potentially onerous regulatory requirements on what the agency deems critical infrastructure, but the Administration's proposal does not provide a great deal of specific guidance about what criteria would justify such a designation. Accordingly, a key issue at a recent hearing on the proposal before the Senate Judiciary Committee Subcommittee on Crime and Terrorism was the definition of critical infrastructure and what entities, industries and functions would be covered. Subcommittee Chairman Sen. Sheldon Whitehouse (D-RI) specifically asked the witnesses whether they believed ISPs would be classified as operators of covered critical infrastructure and thereby subject to potentially sweeping DHS regulatory authority. The witnesses noted that this designation would take place through a rulemaking process, making specific results hard to predict, but the Acting Deputy Under Secretary for National Protection and Programs Directorate at the Department of Homeland Security (the component that would be charged with making the designation) was confident that ISPs would indeed be classified as critical infrastructure and, therefore, be the targets of new cyber-security regulations.
The Administration's proposal to give the Secretary of DHS sweeping authority to create and implement a framework both for the designation of critical infrastructure, and the obligations that attach once such a designation is made is consistent with provisions of the Cybersecurity and Internet Freedom Act (S. 413) which is co-sponsored by Senators Joseph Lieberman (I-CT), Olympia Snowe (R-ME) and Tom Carper (D-DE), chairman, ranking member and member of the Senate Homeland Security and Governmental Affairs Committee, respectively. In a published op-ed in the July 8, 2011 edition of The Washington Post the Senators urged Congress to act on cybersecurity legislation and touted their proposal to "give DHS statutory authority to work with industry to identify and evaluate the risks to the country's most critical cyber-infrastructure." Their legislation would call on DHS "cyber experts" to review corporate protection plans and immunize from liability those companies that are in compliance with their approved plans.
Given the discretion and authority that would be vested in DHS, ISPs and others in the communications, information, technology, energy and other sectors vital to the U.S. economy should monitor closely these proposals as they make their way through Congress. Of particular significance would be opportunities to influence or obtain guidance about the criteria for designation as critical infrastructure and the obligations that would follow such a designation.
Protection of Federal Computer Systems
The Administration's proposal also would provide DHS with additional tools to protect federal systems, which may be of interest to government contractors and others working with the federal government. For example, for purposes of protecting federal computer systems, DHS would be authorized to operate "consolidated intrusion detection, prevention, or other protective capabilities and the use of countermeasures…". In addition, DHS would be authorized "to acquire, intercept, retain, use, and disclose communications and other system traffic that are transiting to or from or stored on federal systems and to deploy countermeasures…" provided such activity is consistent with a privacy and civil liberties framework and the DHS Secretary makes a number of certifications.
This proposal has been met with some skepticism, including from those who want the government to be able to do more to address threats to private systems. Some participants in a recent hearing before the Senate Judiciary Committee Subcommittee on Crime and Terrorism expressed interest in developing techniques for the government to legally intrude in privately-owned information systems in an emergency, perhaps by creating a program for infrastructure operators to preauthorize this sort of intervention in their systems. No doubt this type of intervention would be met with skepticism from the civil liberties community as well as the business community. Government contractors and others doing business with the federal government should pay close attention to proposals concerning the protection of federal data and systems.
Hill Scrutiny Identifies Emerging Issues, Disputes and Opportunities
Since the Administration released its cybersecurity legislative proposal, Senate and House committees and subcommittees have held a number of hearings. To date, cybersecurity has not been a partisan issue, though policy fault lines are emerging as proposals take shape.
- The Senate Committee on Homeland Security and Government Affairs held a hearing on May 23, 2011, soon after the Administration released its proposal. It was chaired by Sen. Lieberman and was generally supportive the Administration's efforts, though Sen. Lieberman expressed concern that the Administration's proposal did not create a White House Office of Cybersecurity with a Senate-confirmed director and did not address the President's authority to act in the event of a cyber emergency.
- The Senate Judiciary Committee Subcommittee on Crime and Terrorism held a similar hearing on June 22, 2011 to evaluate the Administration's proposal. It was chaired by Senator Sheldon Whitehouse who, while generally receptive to the Administration's proposals, appeared interested in the definition of critical infrastructure.
- The House Homeland Security Committee Subcommittee on Cybersecurity held a hearing on June 27, 2011, to evaluate the Administration's proposal. This hearing, chaired by Rep. Dan Lungren (R-CA), turned a more critical eye on aspects of the proposal and focused on the breach notification obligations and explored the possibility of using the private insurance market to mitigate cybersecurity concerns in the private sector.
An Uncertain Legislative and Regulatory Environment Creates Risk and Opportunity
While it is clear that both the White House and the Congress are eager to take some action to address the growing cyber threat, a consensus approach has yet to emerge. The resulting debates and proposals generate substantial regulatory uncertainty, but also present opportunities to shape what could be a new frontier of regulation and public-private partnerships aimed at many of the country's core businesses and technologies.
The contours of any federal approach to cybersecurity are still emerging, but critical questions will focus on how to classify and protect critical infrastructure, how to balance security against privacy interests, and how to put the right incentives in place to encourage private entities to take necessary steps to secure our nation's infrastructure, data and technology. In particular, protection of business entities' confidential information in the context of government disclosures and dialogue will be critical to successful public-private partnerships that many deem so critical to a successful cybersecurity strategy. Finally, the proper role for state activity in any and all of these areas will be important to those seeking certainty and national uniformity in the creation of obligations related to cybersecurity. One alternative to government regulation under discussion is the use of private insurance as an alternative to direct government regulation. Though many stakeholders believe that some government intervention is necessary to protect critical infrastructure from cyber threats, there has been discussion of two competing approaches: direct action through regulation and indirect action through the creation of market incentives. Before the House Homeland Security Committee Subcommittee on Cybersecurity, Larry Clinton, President and CEO of the Internet Security Alliance, which has been active on cybersecurity issues, argued that the Administration's approach does not allow enough flexibility to counter effectively modern cyber threats. According to Mr. Clinton, cybersecurity legislation could encourage the development of a cybersecurity insurance market which would achieve, through market forces, the Administration's cybersecurity goals without burdensome regulation. To make this proposal a reality, Mr. Clinton suggested that the government should establish a revolving fund, as it did to stimulate the formation of the crop and flood insurance markets, and that it should facilitate the public release of actuarial information that is currently kept private. Whether there is an appetite among policy makers for such an initiative remains to be seen; some have seen that use of federal resources as a less desirable alternative to targeted regulation and investment.