Cybersecurity is an urgent priority -- national and economic security are at stake -- yet we do not yet have in place the legislation needed to deal with the threat. From network attacks to network exploitation the threat is real and emanates from a range of sources, including China, Russia, Iran and North Korea, transnational criminal organizations, and hackers for hire. Now is the time to act, while cooler heads can prevail, rather than after a significant cyber event or in the heat of a crisis, when more draconian measures and outcomes may result. There are now multiple bills before Congress, including the Cybersecurity Act, the SECURE IT Act, the Cyber Intelligence Sharing and Protection Act, which passed the House in April, as well as the compromise framework led by Sens. Sheldon Whitehouse, D-R.I., and Jon Kyl, R-Ariz. Senate Majority Leader Harry Reid may soon bring yet another bill to the floor. Given this proliferation of proposals we thought it would be useful to offer some key concepts -- namely the most important pieces of these various bills -- that could serve as primary areas of focus and minimum baselines for any bipartisan bill. Those concepts are:
Opinions on the existing bills are deeply divided. Nor is there consensus on what a comprehensive solution should look like. Accordingly, we would make the case for legislation that takes the above steps as a first move forward in the right direction. Action along these lines would be a good initial step and would be a great deal better than the inaction and paralysis that currently prevails. It’s important to bear in mind that there is a reason that “critical infrastructure” is so-called. It may lie largely in private hands, but it performs functions that are crucial to national security and other fundamental ends. This is not to say that critical infrastructure as a whole is homogenous. To the contrary, it includes diverse sectors such as finance and banking, telecommunications and energy. There are many permutations of technology by sector and it’s unlikely that one bill or remedy will address satisfactorily all of the stakeholders involved, either from a technical or political perspective. Discussing the viability of such a bill has delayed the process at least three years and resulted in nothing being done legislatively. Now is the time to provide strong guidance for these critical sectors that the nation cannot afford to see compromised under any circumstance.
Perhaps the best place to start is with the energy, water, emergency services (to include supporting communications), transportation and healthcare sectors. These are the must-haves that are critical to the survivability of society. The good news is that the legislation can pivot off some of the work already done in these sectors and in the energy sector in particular. Though not particularly known for its innovative use of technology, the energy sector moved out early on in terms of cybersecurity and possesses a good bit of experience with both the risks and repercussions of what happens when the lights go out, be it from natural disasters or other causes. Customers grow angry, their revenues decline and regulators intercede. Against this background multiple stakeholders worked together to assess risks and set standards to mitigate those risks -- thereby creating certainty in the marketplace and a management roadmap for industry. In addition, the sector created an information-sharing environment by which cyber situational awareness can be maintained throughout the sector. The key question now is how to build upon this small success and create certainty from which to build in other markets.
If multiple stakeholders could agree on such a legislative approach we as a country would be able to begin to address our risk before we are forced to do so by events. A spirit and practice of genuine public-private partnership is sorely needed. It is not difficult to imagine what harm could be wrought by bad actors with command of cyber skills and little regard for human life. At the end of the day, what is paramount is to protect and maintain the trust and confidence of the American people. That should serve as motivation enough to get us to where we need to be, or at least to a first but important step down that path. Put bluntly, Congress has a responsibility to take us there.
Frank Cilluffo is Director of the George Washington University Homeland Security Policy Institute. Andrew Robinson is Senior Vice President of ICF International.