It's been about a month since I last blogged about cybersecurity legislation so here's a brief review of where we stand.
Senators Lieberman (I-CT) and Collins (R- ME) got bipartisan support for the Cybersecurity Act of 2012 (S.2105) in the Senate Homeland Security and Government Affairs committee and introduced the bill for a Senate vote. Several other Senators voiced their disdain for this bill and subsequently introduced an alternative, the SECURE IT bill, which centered around a framework for public/private information sharing and eschewed the other bill's compliance mandates, oversight, and enforcement provisions. There was also a mock cyber attack staged in NYC to demonstrate the risks and consequences to Senators in a "real world" setting.
So where are we on cybersecurity legislation at this point? Who knows. There is probably a bit of back office deal making going on but we can't expect much real action due to partisan politics and an election year. Beside, cybersecurity is too esoteric and geeky for broad appeal. Why focus on cybersecurity when you can simply call your opponent to task on emotional issues gasoline prices, health care reform, or social issues?
The few Washington insiders truly focused on cybersecurity face an interesting and somewhat extreme debate as well. The most legitimate criticism I've heard as that the current Lieberman-Collins bill has too many loopholes. I agree but also believe it is a good foundation and should be considered a starting point rather than a perfect piece of legislation. In addition to this realistic concern however, here are a few of the other perspectives on cybersecurity legislation in general and this bill in particular:
1. President Obama wants to take over the Internet. Yes, and he wants to give it back to its rightful owner, Al Gore. Please!
2. The free market can manage cybersecurity protection without government interference. Okay, I get the argument that we don't need more federal programs but isn't the government's job to protect American citizens? Think clean water, safe working conditions, etc. Beside, many CEOs don't want good cybersecurity, they are fine with "good enough cybersecurity." In today's threat landscape, "good enough" is no longer enough.
3. This bill will penalize private companies and make them spend money needlessly. If they were investing enough money in the right places this would be true but take if from someone who lives in this world, they aren't. Additionally, what would cost the economy more, some cybersecurity controls or a massive power outage in New York City?
4. Cybersecurity legislation is akin to "Big Brother." I agree if we let the NSA get involved as some have suggested. NSA is probably the most technically capable agency but its role in intelligence gathering creates a privacy nightmare. Keep NSA (and DoD) out of any domestic programs, thank you.
5. The government can't even secure its own systems. A generalization but true and also irrelevant. This is about cybersecurity oversight and best practices for critical infrastructure like water, power, financial systems, and telecommunications. Aren't these things worth protecting?
I hope we can dismiss political agendas and make this an intelligent and unemotional discussion on protecting national security. Sigh -- there is a lot of work ahead just to get this process started.