Cyber Legislation 101: Keeping Track of the Moving Pieces

This week, the House Homeland Security Committee marked up the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (PRECISE Act, H.R. 3674), sponsored by Rep. Dan Lungren, R-Calif. The bill tackles multiple cybersecurity issues and creates a new information sharing organization entitled NISO.

Next week the Energy and Commerce Committee will hold a hearing on cybersecurity, though the focus of the hearing remains in flux, at least publicly. Also, waiting in the wings, is another bill, the Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523) by Rep. Mike Rogers, R-Mich., Chairman of the House Intelligence Committee, that also tackles information sharing. There seems to be some debate about whether the Rogers bill complements or competes with the Lungren bill and it remains unclear whether both bills will move through the House or one will prevail or, worse case scenario, neither one advances. There is also Rep. Michael McCaul's, R-Texas, cyber R&D bill, the Cybersecurity Enhancement Act of 2011 (H.R. 2096), which passed through the Science and Technology Committee last year and is largely viewed as noncontroversial.

On the Senate side, a much-awaited comprehensive bill tackling FISMA reform, governmental authorities, critical infrastructure protection, R&D, information sharing, data breaches, and miscellaneous provisions is expected any day, although its "comprehensive" nature appears to be less likely every day. It is not clear whether enough consensus exists around the data breach and information sharing sections to allow them to be included, though the various pieces of the bill seem to be moving hourly. Opposition to the Senate comprehensive effort has been voiced by several Republican Senators as well as such groups as the Chamber of Commerce, though there has not been any alternative legislation offered in place of the comprehensive approach.

The Chamber, in a letter this week, called for "slowing" the process, asked for hearings and said the Senate was moving too quickly to get a bill to the floor that has not had adequate vetting and discussion. In reading the letter, I wasn't sure if the Chamber has been following the same cybersecurity bills many of us have been following -- the effort to move cybersecurity legislation in the Senate dates back to at least 2009, when Sens. Rockefeller and Snowe of the Senate Commerce Committee introduced a cybersecurity bill that was soon followed by a competing bill introduced by Sens. Lieberman and Collins of the Homeland Security and Government Affairs Committee. Three years, numerous hearings,and dozens of drafts later, there appears to be more consensus than competition as the two Committees, with input from other Committees, have come up with the latest versions of the various sections mentioned earlier.

Perhaps there should be one more hearing, if for no other reason than to lay out clearly for those who seem to have missed all the work that has been done, to move our nation's cybersecurity efforts forward and have a discussion about the issues that remain unresolved. For those remaining unresolved issues, let's get the various interests together publicly to put their ideas on the table on how to address them. And for those folks who don't have ideas, to quote Sidney Harris, "if you're not part of the solution, you're part of the problem."

That said, there may well be a few items where disparate views and solutions make it difficult to resolve the proper path forward. For those issues, the question should be how critical are the and can we move forward without them and still make progress? If the answer is yes, then cybersecurity legislation should move forward. If the answer is no, then we have a big problem and some of us may want to reevaluate the skepticism we've held for our Luddite brethren.

However you look at it, February is turning into quite the month for cybersecurity.