Challenges Associated With Legislating Cybersecurity– Some Perspectives on Senate Bill 773, the “Cybersecurity Act of 2009”




images-2I recently chaired a panel at the Stevens Institute of Technology cybersecurity conference in Washington D.C. and was asked by the conference organizers to develop an agenda based on a review of pending Senate Bill 773, the “Cybersecurity Act of 2009”.  Our panel, which included two security experts– former National Security Agency Deputy Director Bill Crowell and Ted Schlein of KPCB, focused on some of the challenges to the passage of effective legislative solutions aimed at securing data on the Internet. The point of departure for our panel was a consideration of two specific sections of Senate Bill 773.

The summary of the Bill’s purpose highlights the importance of the continued free flow of commerce, the need for secure cyber communications on the Internet, and a defensive approach to prevent disruption to these activities.

Three focal themes emerged from the discussion:

I That the implementation of effective international standards of cooperation to achieve cybersecurity is going to be more difficult to achieve and is far more complex than it appears. Google’s unfolding experience in China is only the latest manifestation of the complexity of this issue.images-3

II That developing a new legislative protocol for the dissemination of cybersecurity threat information to the public is going to be very difficult and is likely to lead to unintended consequences.  While one government organization may be designated as responsible for this delicate role, many others will continue to lay claim to ultimate authority over what is or is not classified information in the cyber realm.

III That legislative approaches to cybersecurity need to more fully recognize that promoting healthy and robust U.S. capital markets is essential to our nation’s economic and national security.

The globally integrative power of the Internet brings with it major challenges when it comes to international cooperation.  This is especially the case when the economic competition between nation states is increasing and different players approach the same playing  field with completely different rules as to what constitutes fair play. Bill 773 designates the President to develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity.

images

What do we mean by different approaches to economic competition? McAfee recently released its fifth annual Virtual Criminology Report, concluding that politically motivated cyber attacks have increased in a number of countries, including the United States. There is a clear tension between the desire and need for international cooperation and setting standards in cybersecurity and the reality that cyber attacks are now a tool of governments.

Bill Crowell was quoted in that report as saying that “Over the next 20 to 30 years, cyber-attacks will increasingly become a component of war,” “What I can’t foresee is whether networks will be so pervasive and unprotected that cyber war operations will stand alone.”

In section 14, Bill 773 designates the Department of Commerce as the clearinghouse of cybersecurity threat and vulnerability information to the Federal government and the Private sector.  The protection of our nation’s critical infrastructure is a matter of both economic and national security.  This is also probably one of the most sensitive “political turf” battle issues in the United States.  The Department of Defense, the NSA, various military branches, and the intelligence community all lay claim in various ways to a piece of the cybersecurity pie. Nobody will argue that a breach of our nation’s cybersecurity impacts commerce.  Can you explain why the Department of Commerce has been designated to serve as the clearinghouse of cybersecurity threat and vulnerability information to Federal Government and private sector owned critical infrastructure information systems and networks, and how do you believe this is actually going to work in terms of coordinating with the military?  What happens when someone invokes making threat data classified as a matter of national security—aren’t we already living in ignorance of a lot of threat information precisely because of this problem?

Click here for a link to the full panel broadcast, which was broadcast on C-Span.

Be Sociable, Share!

Leave a Reply

You must be logged in to post a comment.