While virtually the entire security world was in San Francisco last week, our elected officials on the other coast held what they called Cyber Legislation Week. While it may not have been an official name, there was movement on several important pieces of legislation and some new legislation was even introduced. With the number of new cyber bills being introduced, it’s almost as if Congress wants to pass something—anything—relating to information security before the end of this session.
The National Cybersecurity Protection Advancement Act
The big event last week was the passage in the House of The National Cybersecurity Protection Advancement Act. Its passage did not come without criticism though, as a letter signed by over sixty security professionals opposing the act has been making the rounds on the Hill. Most of our elected representatives in the House decided to ignore the opposing viewpoints of security professionals, and passed the bill with a comfortable margin of 355-63. The House also overwhelmingly passed the Protecting Cyber Networks Act 307-116. Both bills focus on information sharing; the first came out of the Homeland Security subcommittee, and the second came out of the House Intelligence Committee. Questions on both bills surround the privacy of individual’s data that might be shared, and reduced liability for companies that may inadvertently share private information. Lawmakers will work to combine both bills before sending them on to the Senate.
Cybersecurity Information Sharing Act
The Senate is working on the Cybersecurity Information Sharing Act (CISA). This is the bill that seems to be getting the most attention. The Senate had hoped to pass CISA before the end of April. It seems that NSA reform has gotten in the way, temporarily stalling CISA’s forward progress as staffers are now hoping it will reach the Senate floor by mid-May. This is the third Congress in which the House has passed major cyber legislation and passed it on to the Senate. Will the Senate act on its third try or will they strike out?
A national data breach notification bill is definitely needed
Data breach notification
There are several data breach notification bills winding their way through both houses of Congress. The latest bill was introduced by Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) and is called simply the Data Security Act. This is the Senate’s second major bill on the topic. Sen. Mark Warner (D-Va.) has been circulating a draft breach notification bill of his own and plans to introduce it soon. Warner hopes his bill will have the backing of the retail industry. In addition to the Senate bills, the House also has two similar bills covering data breach notification but they are not seeing widespread support. Some lawmakers fear that one of these data breach notification bills will get tacked on as an amendment to one of the more broadly supported cybersecurity bills. A national data breach notification bill is definitely needed, because the burden for companies attempting to stay in compliance with the states’ 47 different laws is quite high. However, if a national law supersedes a state law, consumers may actually end up with a lower level of protection.
Computer Fraud and Abuse Act
Sen. Lindsey Graham, chair of the Senate Judiciary crime subcommittee said that he and Sen. Sheldon Whitehouse are working on a possible rewrite of the controversial Computer Fraud and Abuse Act (CFAA). The CFAA is the most widely used—and some say the most widely abused—cyber law on the books. The big problem is that the CFAA was passed almost 30 years ago and besides being woefully out of date by today’s standards, it is considered by many to be overbroad and vague. CFAA reform has been attempted before, most recently after the prosecution and subsequent suicide of Aaron Swartz, with the introduction of Aaron’s Law. Unfortunately, Aaron’s Law never made it to the floor for a vote and died in committee. There is no timeline on this current effort yet but there will likely be something introduced soon.
It seems like the crypto wars are back, or at least for one (hopefully) final skirmish. The FBI has been pushing for some sort of legalized back door, front door or key escrow claiming that current encryption technologies are a hindrance to law enforcement and are putting the public at risk. The White House has also weighed in saying that such weakening of encryption would unquestionably introduce greater levels of security risk into encrypted IT systems. The FBI has been adamant about wanting major technology companies to develop encryption technology that only the FBI can get into. On Wednesday April 29th, the House Oversight Committee's IT subcommittee held a hearing on encryption technology; witnesses included several people with law enforcement backgrounds, but only one cryptography expert.
This is only the beginning
Hopefully, our lawmakers will listen to the experts who have been in this industry for a long time and pass balanced and measured legislation
Following the mega breaches of Target, Home Depot, Anthem and Sony in addition to the President’s executive orders, things are quite busy in DC right now. There appears to be a great urgency around all things cyber at the moment. We will have to wait and see what, if anything, comes of all these different initiatives. Hopefully, our lawmakers will listen to the experts who have been in this industry for a long time and pass balanced and measured legislation and not just vote into law the first thing that crosses their desks. Stay tuned.
For more information, see my previous blog about Cybersecurity Legislation Week 2015.