October was the Department of Homeland Security’s eighth annual National Cyber Security Awareness Month, but in many ways, 2011 was the “Year of the Hacker.” Public awareness of weaknesses in the nation’s cyber and physical infrastructure has skyrocketed as a result of far-ranging electronic attacks in the United States and abroad. In the U.S., hacktivist groups LulzSec and Anonymous have attacked the CIA’s website, released personal data of officers of the Arizona Department of Public Safety, and obtained gigabytes of data, including usernames, passwords, and IP addresses from companies including AT&T and Sony. Just this week, federal officials confirmed an investigation into a water pump failure in Springfield, Illinois that could have been the result of a cyber-intrusion.
Federal elected officials are also well aware of the threats posed by cyber-attacks on America’s infrastructure. Over the last two years, a concerted effort has been made by the Obama administration to develop internal federal strategies for cybersecurity, in addition to pushing Congress to pass comprehensive legislation for critical national industries. The administration’s federal strategy is laid out by its Comprehensive National Cybersecurity Initiative (CNCI), which lays out steps for the Department of Homeland Security to secure federal enterprise and classified networks, while developing programs that address vulnerabilities in the communications technology marketplace and expand cyber education. The initiatives in the CNCI were then presented to Congressional leaders on May 12 in a major legislative proposal. The DHS has informally carried out steps in accordance with the CNCI, but Secretary Janet Napolitano has urged Congress to move forward with bipartisan, comprehensive legislation.
As a result of the Administration’s urging, Congress has been active on cybersecurity as well. In the 112th Congress alone, over a dozen bills related to cybersecurity and public infrastructure have been introduced in the House and Senate. National cybersecurity legislation is unique because it falls in two categories that elicit very different responses from the parties. As a national security issue, the legislation would seem to engender substantial bipartisan support. However, as protecting the national cyber and physical infrastructure would require a new regulatory regime, the parties have been at odds with respect to the best method of ensuring that protection. The legislative process has laid bare a difference in regulatory approaches between Senate Democrats and House Republicans.
The Senate Democrats have largely followed the Administration’s model in their legislative proposals. For example, the Cybersecurity and Internet Freedom Act of 2011, introduced by Senators Lieberman, Carper and Collins of the Senate Homeland Security Committee recommends that private entities in critical industries be subject to government standards of network security under the DHS and be required to share information relating to cybersecurity threats and vulnerabilities, in exchange for liability protection. The DHS’s authority would include the ability to levy fines and encourage compliance through published results of security audits.
On the other hand, House Republicans on the Cyber Security Task Force, in legislative recommendations approved by Speaker John Boehner last month, indicated that they would be strongly resistant to compelling private firms to comply with federal standards through penalties and DHS enforcement. Instead, House Republicans propose that cybersecurity legislation be limited to incentivizing improved standards in critical industries in the private sector through existing liability protection, streamlined regulations, and current tax credits. Rep. Mac Thornberry, the chairman of the task force, argues that best practices and incentives should be sufficient, saying “If we can get 85 percent of attacks by good hygiene, we ought to encourage good hygiene.”
Senate Democrats and House Republicans also differ in the interpretation of “critical industries.” The Administration and Democrat proposals have indicated a broad interpretation for industries that are essential to the United States’ cyber and physical infrastructure. These industries would be those whose disruption would “have a debilitating effect on national security, national economic security, national public health or safety,” and would include all communications and public utilities dependent on information infrastructure. The House Republican Task Force recommendations are not nearly as far-reaching, generally limiting regulation to industries already under heavy government oversight, namely nuclear power and water-treatment plants.
The philosophical differences between the proposals are standard fare for the two parties. Republicans are aiming to minimize government oversight of private networks and reduce DHS enforcement mechanisms. The limited oversight is intended to keep
critical industries flexible in their responses to threats and reduce the economic burden on private entities. The Administration’s broader regulatory proposal is less cost conscious and aims to compel essential industries to be as electronically secure as possible through a “carrot and stick” approach. The proposal is not constrained to incentives that encourage proper cybersecurity hygiene, but incorporates some enticements (like liability protection) into a broader structure that rewards positive performance and punishes bad actors, in order to eliminate the maximum number of vulnerabilities. As with any strong regulatory regime, cost issues and economic burden are likely concerns for the Democrat proposal.
Though the parties are at odds with how best to approach protecting America’s critical infrastructure, it is promising that the parties agree it must be done with urgency. There are a number of areas where both proposals coincide, including reforming the law governing the protection of federal agencies’ networks and liability protection for proactive firms. Most encouraging is that because of the national security implications, Congress is much more likely to reach an effective compromise on comprehensive cybersecurity legislation, in spite of its internal ideological debate.