Break the impasse on cybersecurity

There appears to be no earthly matter on which the Democrats and Republicans in Washington can agree these days. It could be that cyberspace, however, can provide a more fruitful dimension for compromise than purely terrestrial concerns.

Improving cybersecurity — the protection of information assets and systems in the hands of government and private business — is recognized across the political spectrum as a crucial national priority. A succession of directors of National Intelligence and a growing anthology of U.S. government reports document that foreign governments and state-sponsored actors are stealing hundreds of billions of dollars a year worth of our business secrets and intellectual property, and compromising our supply chains and our private-sector operators of critical infrastructure, including power and gas facilities, water, transportation, finance and communications.

ADVERTISEMENT
The key players on this do not mince words: President Obama has called the “cyber threat ... one of the most serious economic and national security challenges we face as a nation … America’s economic prosperity in the 21st century will depend on cybersecurity.” Former National Intelligence Director Dennis Blair said that cyberattacks against Google constituted a “wake-up call” about vulnerabilities that could cripple the U.S. economy, while Sen. John McCain (R-Ariz.) invokes the Government Accountability Office’s report “that over the last five years, cyber-attacks against the United States are up 650 percent. The threat is real.” Sen. Joe Lieberman (I-Conn.) echoed his good friend’s concern, noting: “We are being bled of our intellectual property everyday and would-be enemies probe the weaknesses in our most critical national assets — waiting until the time is right to cripple our economy or attack a city’s electric grid with the touch of a key. The system is blinking red.”

The competing visions for cybersecurity legislation boil down to this: The Senate bill, championed by the president, Senate Majority Leader Harry Reid (D-Nev.), Lieberman and Republican Sen. Susan Collins (Maine), would empower the Department of Homeland Security to run a new regulatory program that would impose enforceable requirements on the private sector with new mandates to protect the country’s cyber patrimony. The Republican alternative also seeks to achieve greater cybersecurity protection, but with no mandates or standards, and allows a much lighter hand of government. It would establish a non-regulatory program to facilitate and encourage the exchange of cyber threat intelligence, including information about system vulnerabilities, penetrations and exfiltration of data. Information would be more readily shared directly between the private sector and the intelligence community, which of course makes some people nervous.

So where does that leave us? Everyone agrees: There are foreign bad guys out to get us and who are already significantly hurting our national interests; cooperation and information-sharing between the U.S. government and private sector is imperative to slowing down the bad guys; the private sector controls the preponderance of the nation’s information assets and systems; either regulations or incentives, including the benefit of greater self-protection, could motivate businesses to take cyber risks seriously enough; and privacy and civil liberties need to be preserved in tandem with improving national cybersecurity.

What could a possible July 4 compromise look like? It would eschew regulation and mandates, but it would empower a new Office of Cybersecurity Coordination in within the Department of Homeland Security to identify consensus standards — and obviate redundant measures or processes — by convening the private sector and consulting thoroughly with the departments of Defense and Commerce and with existing functional regulators of the financial, energy, transportation and communication sectors. This coordination initiative would assess current cybersecurity efforts and promote best practices in each relevant sector. The office would offer concrete recommendations, techniques and assistance to be helpful to different industries and individual companies. DHS could prepare quarterly progress reports to the president and Congress to assess each sector’s cybersecurity practices and identify any ongoing, material cybersecurity weakness. No individual companies would be targeted in the progress reports, only industry sectors.

The compromise legislation would not extend or diminish the government’s existing surveillance and information-gathering authorities. The new law should require the (soon to be repopulated) Privacy and Civil Liberties Oversight Board to be “read in” to all activities coordinated by the Office of Cybersecurity Coordination, and task the board to report its assessment of whether these new public-private cybersecurity efforts appropriately preserve privacy and civil liberties.

A “coordinating” compromise like the one envisioned above could materially enhance urgent cybersecurity needs without introducing new or duplicative regulatory burdens, without compromising privacy and civil liberties, and without expanding or undermining our current laws governing the surveillance powers of the National Security Agency, Central Intelligence Agency and Federal Bureau of Investigation. Since there is no partisan advantage or angle on cybersecurity, the only thing standing in the way of an effective compromise is lack of practice in reaching agreements.

Raul is a Washington lawyer and former vice chairman of the Privacy and Civil Liberties Oversight Board.