The U.S. Senate is about to deliberate a highly revised cybersecurity bill – one that last weekend won the endorsement of President Obama. The current version of the bill no longer contains measures that would essentially declare any device that may at some point contain critical government information – even via the public cloud – as subject to government scrutiny and protective regulations. Instead, it creates a new mechanism to deal with security for businesses that may house government data.
In place of the language in the original bill - which had been introduced by Senator Joseph Lieberman (I – Conn.) - the new Cybersecurity Act of 2012 (CSA2012, or S.3414) would create a National Cybersecurity Council, whose key purpose would be to chair a public/private partnership for developing and implementing security principles and measures for businesses that may house government data, or that host “critical infrastructure.” The adoption of some of those measures by private agencies or contractors would be voluntary, while others would be “compulsory,” which is somewhat less severe than “mandatory.” A “compulsory” requirement may conceivably be a “deal-breaker,” without which the government won’t do business with the firm. By comparison, “mandatory” implies the type of bond that’s illegal for someone to break.
Whose Cloud Is It?
At issue are two things: One is the obligation of private companies that provide cloud services for the federal government to adhere to federally prescribed security policy. Here, the difference between a mandate and a recommendation is the same as between “illegal” and “not very nice.” Second is the ability for private industries involved in any kind of cybersecurity to share information with the government in the interest of improving security, without being held liable for even the accidental disclosure of private information owned by innocent civilians. The CISPA legislation passed last April by the House of Representatives would grant immunity from prosecution for companies making such disclosures.
In an effort to win Republican support in the Senate, CSA2012 backers worked on refining their language to make similar grants. That effort was at least somewhat successful, with the announcement earlier this week of support for CSA2012 by Senator Jon Kyl (R – Ariz.), who had previously sponsored CISPA’s Senate counterpart, the so-called SECURE IT bill.
But to keep Senate Democrats in line, the new language narrows the scope with which those grants would be made. It’s a subtle but important distinction, so follow closely: As the bill was previously written, private industries that shared information with federal agencies that use that information for cybersecurity purposes, would be immune from prosecution. Under CSA2012, private industries that gathered information for cybersecurity purposes may share that information with the government if it obtained that information, and then used that information, for that sole purpose. Then and only then can it be held immune.
That was the clincher that got Senator Al Franken (D – Minn.), formerly an opponent of Senate cybersecurity legislation, on board with CSA2012. On the Senate floor on Thursday, Franken said, “In other words, once a company gives the government cyberthreat information, the government shouldn’t be able to say, ‘Hey, this email doesn’t have a virus. But it does say that Michael is late on his taxes. I’m going to send that to the IRS.’”
Coordination Will Be Protected, But By Whom?
Franken also praised the new language for getting its priorities straight – for instance, by making certain that policies regarding information sharing are put in place between government and private companies first, rather than (as was conceivable under the old language) sharing the information first and deciding how it should be protected later. “Under this bill, privacy rules have to be in place on the first day that companies start giving the government information,” said Franken. “People can sue the government when it abuses its authority. And there will be recurrent, independent oversight by both the Privacy and Civil Liberties Oversight Board and Inspectors General.”
Opponents of previous legislative efforts – which included the President – noted the fact that the exchange of data between private industries and government must themselves be protected by cybersecurity policy. In his endorsement last week, Obama said, “We need to make it easier for the government to share threat information so critical-infrastructure companies are better prepared. We need to make it easier for these companies – with reasonable liability protection – to share data and information with government when they’re attacked. And we need to make it easier for government, if asked, to help these companies prevent and recover from attacks.”
Debate remains over whose policies those will be, and whether government or the private sector will be responsible for creating them. As the new bill is crafted now, using langauge that met with Franken’s approval, the new Cybersecurity Council would coordinate a series of best practices, by way of an agreement “by the sector coordinating council in coordination with owners and operators, voluntary consensus standards development organizations, representatives of State and local governments, the private sector, and appropriate information sharing and analysis organizations.” This would present the first-stage safety net for protecting and immunizing sharing of security data.
But later, the bill would enable any federal agency with security responsibility to raise the level of those policies from voluntary to mandatory, with respect to the agencies themselves. “A Federal agency with responsibilities for regulating the security of critical infrastructure may adopt the cybersecurity practices as mandatory requirements,” the new draft reads.
If a federal agency has a contract with a private cloud service provider, and that agency’s practices have just been deemed mandatory, it may yet be fuzzy whether the private firm’s responsibilities have just become mandatory as well.
It’s this potential loophole in the legislation that’s being spotlighted by conservative activist groups opposed to the bill, including Heritage Action for America, which is associated with Rush Limbaugh’s Heritage Foundation. In a statement released Tuesday, Heritage Action said, “Even though this bill makes adherence to the regulations ‘voluntary,’ the regulatory footprint imposed by this bill would still be too cumbersome and include too many unknowns to adequately protect the industry from an attack without damaging the Internet industry itself. Although it is marginally better than a fully mandatory paradigm of regulations, it would leave open the strong possibility of individual agencies making their regulations binding.”
Damned If You Do…
At the opposite end of the debate, Senator Franken (who once famously declared Limbaugh “a big, fat idiot”) indicated today that CSA2012 as currently crafted may yet grant federal agencies too much authority to act in concert with service providers to deploy security “countermeasures.” As currently written, the bill reads, “The Secretary [of Homeland Security] may enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities that provide electronic communication or information security services to acquire, intercept, retain, use, and disclose communications and other system traffic or to deploy countermeasures in accordance with this subsection.”
Franken said he will offer amendments before the Senate floor that would strike this and other provisions, which he said would “give ISPs and other companies a brand new right to monitor communications and to deploy countermeasures. That right is very broad. So broad that if a company uses that power negligently to snoop in on your e-mail or damage your computer, they will be immune from any lawsuit.”
But President Obama indicated earlier that it would not look favorably on any amendment that would result in, as a White House statement put it, “weakening the statutory authorities of the Department of Homeland Security to accomplish its critical infrastructure protection mission.” That could mean efforts to give the bill more Democrat support could cost it the backing of the Democratic president.
Ironically, the passage of such an amendment might appeal to a previously outspoken opponent of the bill, Senator John McCain (R – Ariz.), who remains on record as saying DHS is not the right agency to manage a cybersecurity council. Senator McCain would prefer the National Security Agency, which answers to the Dept. of Defense. While the NSA is said to already have critical security measures in place, it isn’t always clear what those are. And Democrats – including Franken – are opposed to aligning any private partnership with a branch of the military.
Just as ironically, on record as supporting Franken and Senate Democrats in that opposition is the NSA itself. Gen. Keith Alexander, the NSA director, told a Senate Armed Services panel last March that included McCain, “I do not believe we want NSA or the military inside of our networks watching them.”
So the new, improved Senate cybersecurity bill is likely to garner opposition from someone, somewhere, no matter where it heads from here. If it’s any consolation, the likelihood of its reconciliation with the already passed House CISPA bill is next to nothing, unless House leadership changes hands after the fall elections.