The House Republican Cybersecurity Task Force released its long-awaited recommendations today explaining why "the House should devote time and energy to an issue that is not at the top of the public's expressed priorities." The report notes that cybersecurity should be a priority because cyber is a major national security issue, the threat is real and immediate, and cyber is connected to our economy and job creation.
The recommendations fall into four areas:
- critical infrastructure and incentives,
- iformation sharing and public-private partnerships,
- updating existing cybersecurity laws, and
- legal authorities.
In reviewing the recommendations, it is clear that the task force strongly believes that industry leadership and buy-in is a foundation on which the House should act -- that underlying theme appears to guide most of the report. Whether it be proposing to expand existing tax credits or streamlining the number of regulators to which companies have to report, the impetus for industry cooperation is through voluntary efforts. The task force is very clear that new regulations should not be approached carelessly,saying that:
"Congress should consider carefully targeted directives for limited regulation of particular critical infrastructures to advance the protection of cybersecurity at these facilities using existing regulators."
"Any additional regulation should consider the burden on the private sector by requiring agencies to conduct a thorough cost/benefit analysis."
An interesting proposal (that also demonstrates the push for industry versus government leadership) is the creation of an organization outside of government to act as a clearinghouse of information and intelligence sharing between the government and critical infrastructure. The concept behind this proposal is to use the model of the Defense Industry Base pilot program, which allows government and companies to share information in real time.
It is not clear how this entity would work with existing organizations such as Information Sharing and Analysis Centers and Sector Coordinating Councils, though the report does say the group should coordinate with such organizations. Clearinghouses, it seems, are becoming more popular with Congress, as a number of proposals recently have suggested creating them (i.e. Senator Blumenthal's clearinghouse for data breaches, which was included in his bill that passed through Senate Judiciary last week). The sharing of information in real time is very much needed and such a clearinghouse could potentially alleviate some of the questions about who should be in charge of cyber efforts.
In order to allow for more industry leadership, the Task Force proposes changing a number of laws, including antitrust, FOIA, FISMA, Computer Fraud and Abuse Act, and liability protections. The Task Force rightly lays out the questions that Congress must address in order to assure that laws are up-to-date and effective. Those questions
1. What is the responsibility and/or authority of the federal government to defend a private business when it is attacked in cyberspace?
-What if it is a foreign state attacking the business?
-What if we do not know the source and what level of confidence do we need in
attribution in order to take action?
2. How should we use the full range of instruments of national power and influence to discourage bad actors in cyberspace?
-How do we develop and apply concepts of deterrence?
3. The Intelligence Community collects much information on cyber threats.
-How do we decide which information to use to defend?
-How do we share information at network speed?
-How do we incorporate open source or proprietary information along with classified information to protect our networks?
4. What should the military's role be in relation to other agencies of the federal government?
-Do the military's authorities match up with its role?
5. Apart from when the military is acting pursuant to a congressionally authorized use of force, do sufficient authorities exist to allow for offensive cyber operations necessary to protect our national security?
The report ends with a compendium of "other" cyber issues that routinely make the list of areas the government must address or examine when evaluating cybersecurity. They include: ISP Code of Conduct, Supply Chain, Federal Procurement, International Cooperation and Coordination, Federlal R&D, Workforce Development, and Recruitment/Retention/Training.
In looking over the task force's work, there seems to be lacking a discussion on emerging technologies and how security efforts should be a part of innovation. The report does mention cloud with regard to FISMA but a more detailed plan on how to address cloud, mobile security, and the like would have been helpful, even if it was added as an "other" issue at the end that Congress should tackle.
That said, overall, the recommendations do a thorough job of explaining what areas the task force believes should be a focus of House efforts on cybersecurity in the coming months. They also demonstrate that the path forward for the House will be very different from what the Senate has been promoting. Rep. Thornberry deserves credit for bringing together members with disparate views and, in certain cases, competing jurisdictional interests and putting together a cohesive plan.