With each New Year comes the promise of a fresh start, and nowhere is there a more pressing need for that than in Washington, where gridlock has taken hold for too many months. The good news is that the close of 2013 witnessed the beginnings of forward motion, on the part of key actors, on select issues of national importance. In December, Rep. Paul Ryan, R-Wis., and Sen. Patty Murray, D-Wash., jointly took the lead on preventing another government shutdown only three months after the last one by crafting a bipartisan budget deal. While the deal is nowhere near a grand bargain in scale and scope, it does reflect incremental progress that is still a step in the right direction and as such, is emblematic of what may be the new model of governance in the capital: Getting things done through small steps forward.
Indeed, the new golden rule in Washington may be: Don’t let the perfect be the enemy of the good. In the present partisan atmosphere, holding out for a panacea that addresses all challenges comprehensively may simply be a bridge too far. Cybersecurity is just one important area that could benefit much from this type of approach. Consider the context: Despite an ever-increasing array of cyber threats that continue to morph and evolve in complexity, and despite widespread acknowledgement that more needs to be done, the United States remains underprepared for the ecosystem it faces and the many hostile actors that inhabit cyberspace. While there may be plenty of blame to go around in terms of inaction, Americans rightfully expect some remedies and results.
Despite a range of proposals for addressing gaps in cybersecurity, none have fully materialized. For instance, the Cyber Intelligence Sharing and Protection Act (CISPA), sponsored by House Intelligence Committee Chairman Mike Rogers, together with Ranking Member Dutch Ruppersberger, passed the House but not the Senate. Designed “to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes,” the House bill would have facilitated the exchange of threat and vulnerability information needed to prevent, mitigate, and respond to cyberattacks. It also addressed liability issues that may arise in connection with such exchange. The importance of information sharing is widely acknowledged, but prevailing sensitivities attached to the matter are acute, due largely to the Snowden case, which continues to unfold. Prospects for the bill are dubious, even though the latest version addresses many of the privacy concerns that critics raised with an earlier iteration.
In December, House Homeland Security Committee Chairman Michael McCaul also introduced the National Cybersecurity and Critical Infrastructure Protection Act of 2013 (NCCIP). This bipartisan bill, submitted together with Ranking Member Bennie Thompson, and counterparts on the House Homeland Security Committee’s panel on cybersecurity, infrastructure protection and security technologies (Reps. Patrick Meehan and Yvette Clarke, respectively), aims to “strengthen…the cybersecurity of the nation’s 16 critical infrastructure sectors as well as the federal government by codifying, strengthening and providing oversight of the cybersecurity mission of the Department of Homeland Security (DHS)—the agency responsible for ensuring the security of our critical infrastructure.”
On the Senate side, the Armed Services Committee, the Homeland Security Committee, and the Intelligence Committee are contemplating measures within their defined areas of jurisdiction. In the Senate Commerce Committee, moreover, Chairman Jay Rockefeller and Ranking Member John Thune introduced last July the Cybersecurity Act of 2013, which “would give the National Institute of Standards and Technology (NIST) authority to facilitate and support the development of voluntary, industry-led cyber standards and best practices for critical infrastructure”; and “make sure the federal government supports cutting edge research, raises public awareness of cyber risks, and improves the nation’s workforce to better address cyber threats.”
In effect, the Senate Commerce Committee bill largely codifies President Obama’s February 2013 executive order on improving critical infrastructure cybersecurity, which allocates to NIST a central role in facilitating the development of a private sector-led, market-oriented framework. The final version of that cybersecurity framework is expected to be published later this month and "shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk," according to the executive order.
These are just some of the cybersecurity measures that have been initiated. For the private sector, a prominent concern is to know and understand the rules of the road regarding active defense. Industry leaders understandably want clarity on these rules, that they will help define, and which will allow companies to protect themselves. Such an approach, wherein guidelines and guidance are relayed to the private sector to then determine the best way forward, is emblematic of the direction in which we need to go if tailored and effective countermeasures are to be formulated and enacted in real-time and/or as required. Companies cannot be expected to simply wait until Congress and the executive branch get their own houses in order.
From optimizing interagency cooperation to pursuing research and development strategically and beyond, there are various steps left to take in the area of cybersecurity. Our adversaries are not standing idly by and the risks continue to multiply. How many more incidents like the recent and massive breach of Target’s data, involving millions of Americans, are needed to spur the country into taking the actions needed? If it takes baby steps to push the country further down the path to a more robust posture, so be it. Just as Congressional committees have put their minds to crafting an omnibus bill that converts the Ryan-Murray framework into details and constructive action, so too must we get on with it in the cyber realm. 2013 was a very good year for our adversaries. Let's not make it two in a row by our own hand.
Frank J. Cilluffo is director of the George Washington University Homeland Security Policy Institute and GW’s Cybersecurity Initiative. Sharon L. Cardash is HSPI’s associate director and a founding member of GW’s Cyber Center for National and Economic Security.