Future of cybersecurity lost in legislative limbo

At last count, there were more than 40 bills, resolutions and amendments dealing with cybersecurity pending in the House and Senate. They offer funding for cybersecurity research and development, deplore developments in China, establish new consumer protections, update government regulations, and create new executive oversight authority.

But none of these seems to be heading for passage anytime soon. And by this date in an election year, soon is the only time left. With the campaign season already under way and summer recesses coming up, the 111th Congress soon will be history, and everything will then need to start over.

During an administration that has declared cybersecurity a major national security issue and at a time when the term "cyber war" is cropping up in headlines and on talk shows, when the Internet is becoming synonymous with identity theft and phishing is being spelled with a “ph” as often as an “f,” why is this so?

Related stories

FISMA gets the tools to do the job

New cybersecurity coordinator says he has the president’s ear

Despite the rising profile of cybersecurity, it apparently still is not a sexy issue politically. Senators and representatives tread delicately through the minefields of health care, financial regulation and immigration because anything they say can and will be used against them in the coming election, and neutrality is not an option. But being on the wrong — or right — side of cyber defense is not likely to lose anyone many votes, so it is not a high priority.

Perhaps the more important question is: Does this matter?

Probably not. There are some important cybersecurity issues that should be addressed, and the most critical of them are being addressed through regulatory rather than legislative channels.

For instance, the Federal Information Security Management Act is in need of an update. But while Congress proposes, the White House disposes, with new standards for FISMA reporting that require agencies to shift from paper-based annual reports to real-time data feeds of system status. The new standards, issued through the Office of Management and Budget in April, are part of a much-needed move away from paper-based compliance to real-time visibility and automated security systems.

And the Executive Cyberspace Authorities Act of 2010 (H.R. 5247) introduced in May by Rep. James Langevin (D-R.I.), would establish a White House National Cyberspace Office for coordinating national cybersecurity policy. The director would have a seat on the National Security Council and would coordinate defense of government networks in case of an attack.

But President Barack Obama appointed a White House cybersecurity coordinator this year. Although he does not have the budget authority the NCO director would have, OMB does have this authority under FISMA. Langevin’s proposal might well have merit, but even though it took the president nearly a year to name a cybersecurity coordinator, the administrative track is proving more flexible and speedy than the legislative one.

There are some issues that could benefit from Congress’ attention, such as a national standard for data breach notification and protection of sensitive personal information. That is covered by a patchwork of state laws. But even in that case, holders of personal information can avoid confusion simply by adopting the highest standards practical and doing their best to avoid breaches.

Mark Twain said “no man's life, liberty or property are safe while the legislature is in session.” I wouldn’t go that far. But there are good avenues for regulating cybersecurity without new legislation.