Cybersecurity Legislation Forecast is Grim

A D.C. insider is pessimistic that we’ll see cybersecurity legislation before 2016, pointing toward a number on contributing political and national security factors.

MINNEAPOLIS – If you’re expecting federal cybersecurity legislation any time soon, forget it.

Despite the number of prospective bills on the Hill right now, Congress is unlikely to move anything forward any time soon, according to Matthew Rhoades, director cyberspace and security program Truman National Security Protect and Center for National Policy, speaking here Tuesday at the Cybersecurity Summit.

And you can blame it on politics. Blame the calendar. And blame Edward Snowden’s exposing the depths of the NSA’s surveillance of Americans.

Rhoades, a longtime D.C. insider, painted a dynamic portrait of Congress’ debates and deliberations on cybersecurity legislation dating back to the 2008 presidential elections through last summer when Snowden’s disclosures turned privacy on its ear.

Going back, Rhoades said, Congress has always hotly debated three points around legislation: critical infrastructure; information sharing; and the role that the NSA versus a civilian authority such as DHS would have. Other areas such as education, research and development, awareness and FISMA reform weren’t as divisive.

The dividing line between the two sides of the aisle came to a head in 2012 when Senate Democrats lobbied for a comprehensive approach to cybersecurity legislation, one that left a lot in the hands of market forces and the private sector. The Republican-controlled House wanted something different Rhoades said, an approach that had information sharing as the center spoke of its wheel. Holding up that debate were questions about what information would be shared, with whom, what would that information be used for, and what would be the standard of liability around all that sharing of sensitive business information; in other words, what were the provisions for full indemnity or standards of negligence.

“All of the above happened in 2012,” Rhoades pointed out. “It was never mentioned in the presidential election, meaning it was almost exclusively an inside-the-beltway debate.”

Conflicting interests arose, in particular from privacy and civil liberties groups who wanted information anonymized and shared with a civilian agency, DHS in this case. They wanted clear definitions of what it was going to be used for and they wanted to establish a negligence standard, Rhoades said. Businesses weren’t in on standards; they wanted legal protection including liability and antitrust protection for companies in the same industry sharing information.

As we know, 2012 ended without legislation, but 2013 began with a new Congress and Executive Order 13636, which provided for some information sharing and oversight, and paved the way for the NIST Framework.

“I would argue [the Executive Order] was just as much a political document as a policy document,” Rhoades said. “From a political standpoint, critical infrastructure was off the table in Congress. A lot of progress was made—until June.”

On June 5, the first Snowden disclosures were published in The Guardian and privacy and security haven’t been the same since.

“Setting aside what you think about what Edward Snowden did, this had serious second order effect on cybersecurity legislation,” Rhoades said, pointing out as an example that any provisions made for information sharing between the private and public sectors now sounds an awful lot like Google, Yahoo and Facebook providing “direct access” to the NSA. That was immediately rebuffed by the technology companies, who forced the Justice Department to loosen a little bit the noose with regard to transparency.

Now more than a year out from Snowden, and closing in fast on another presidential election, the prospects for legislation are slim to none with a lame-duck president in office and a new Congress due in January.

“There are other priorities out there,” Rhoades said of what will get in the way of cybersecurity legislation. First, and probably foremost, the federal government will again run out of money in mid-December and Congress will have to find a way to fund the government. The White House has already said it would like to nominate a new Attorney General replacing Eric Holder, another thing the Senate would have to focus on.

More? Mandated updates to Section 215 of the PATRIOT Act and Section 702 of the FISA Amendments Act, the possible authorization of military force in Syria to fight ISIL, and the expiration of the comprehensive agreement on Iran’s nuclear program expiring this year.

“There are more pressing issues around national security in front of cybersecurity,” Rhoades said.

The prospects of a new Congress aren’t encouraging on the cyber legislation front either, because six key backers are retiring or leaving their posts, including Jay Rockefeller (D-W.Va.) who introduced the Cybersecurity Act of 2009, and Saxby Chambliss (R-Ga.), the vice chairman of the Senate Select Committee on Intelligence, who helped push through the Cybersecurity Information Sharing Act to the Senate floor.

“We’re losing a lot of institutional knowledge, not just the politician but when the staff leaves too,” Rhoades said. “We’re losing a lot of important staffers unless someone new decides to hire them.”

And then comes the 2016 election, which will consume a lot of attention.

“It’s going to be harder to get cyber legislation passed,” Rhoades said. “I’m pessimistic about getting anything passed in the next couple of years—with one exception: if something bad happens.”

Suggested articles