How Capitol Hill politicking has undermined cybersecurity--again.
- By James Andrew Lewis <p> James Andrew Lewis is a senior fellow at the Center for Strategic and International Studies. </p>
The U.S. Congress has been considering two significant cybersecurity bills, the Revised Cybersecurity Act of 2012, which failed a procedural vote in the Senate on Thursday, and the Cyber Intelligence Sharing and Protection Act (CISPA) in the House of Representatives.* Their significance comes from their shortcomings: Both bills have fallen prey to the limits of the current American political climate, where special interests and disputes over the appropriate role of government have combined to harm national security — and, as a result, neither will do much to protect the United States from cyberthreats.
Congress knows that weak cybersecurity endangers the country — and that America is dangerously unprepared — but it cannot muster a majority to support serious defensive measures. The same forces that have kept Capitol Hill in gridlock on many important issues have also blocked effective cybersecurity legislation. That said, Congress does not want to be in the position, after the inevitable cyberdisruption, of having to say it knew but did nothing.
The political solution to gridlock is to pass weak legislation and pretend it will work. This is the CISPA story. House Republicans created a Cybersecurity Task Force last year to develop ideas to strengthen cybersecurity. The report they issued in October was fair and accurate. Had the House enacted its unanimous recommendations, which included regulation of critical infrastructure, the nation would be safer. The recommendations formed the basis of a comprehensive bill introduced in the Homeland Security Committee. Unfortunately, for reasons that are unclear, but likely relate to concerns about the Department of Homeland Security (DHS), small-government ideology, and the pressures of an election year, the House suddenly reversed course and withdrew the comprehensive cybersecurity bill from consideration, with some members saying that they no longer supported the report they had endorsed a few months earlier.
The demise of the task force-inspired bill meant the House needed something to take its place. The solution was to elevate CISPA. CISPA began as a measure to remove the legal impediments to information sharing between companies and the government. This information can include "signatures" and other cyberthreat indicators, such as intelligence information, reports of successful penetrations, and information on the identities or network addresses of the "attacking computers" (This category raises potential privacy problems that CISPA worked hard to address). Many people agree that the United States needs to update legislation on communications and privacy, and CISPA does good work in this regard (pace the privacy community), but it is not really a cybersecurity bill and sharing information is a feeble response to a serious threat.
Politicians like information sharing because it doesn’t actually require them to do anything. Information sharing was a central part of the Clinton administration’s cybersecurity policy created in 1998 by Presidential Decision Directive 63. Information sharing didn’t work then, it hasn’t worked since, and it won’t work now. America is more vulnerable to cyberattack after years of relying on voluntary action and information sharing because information sharing does not change the economic incentives for inaction. Companies assess the probability that a threat will become an attack, and if there is an attack, whether they will be held liable. They weigh the cost of preventive measures against the risk of liability. Almost all conclude that the liability risk for cyberattack is too low to justify greater effort. This is a sensible business decision but does not help national security. Sharing cyberthreat information is not enough to protect critical infrastructure because it is the attacks we don’t know about, the attacks that exploit unknown vulnerabilities, that create the greatest risk.
Particularly after their experience with the "warrantless surveillance program," where companies that cooperated faced a plethora of lawsuits, corporations are understandably reluctant to share information with the government. CISPA would lower the risk of sharing information by offering them liability protection, but it does not create incentives for securing networks. In private, some members of Congress will tell you that they know CISPA is not enough. Nevertheless, in public, they trumpet CISPA as a cybersecurity bill. One powerful motive for its passage, as a House member privately told companies, was that it would "help protect you from regulation."
The bogeyman of regulation appeared in the Lieberman-Collins bill (now the Revised Cybersecurity Act of 2012), which incorporated language from bills drafted by Senators Jay Rockefeller, Olympia Snowe, Dianne Feinstein, and Tom Carper. The bill, in draft for three years, gave DHS the ability to regulate critical infrastructure. This provoked howls of rage from some conservative opponents because it ran contrary to the belief that the private sector does not need help from big government. There are sound reasons to be critical of Keynesian economics without also sacrificing public goods. Big government is best avoided, to be sure, but no sane person has ever said that the private sector can carry the burden of national security. Nor is anyone calling for an end to Federal Aviation Administration regulation and instead relying on market incentives for safe flight. The fate of the cybersecurity bills is part of a larger and damaging political debate on the role of government.
To be fair, early drafts of the Cybersecurity Act had problems. No one on either side of the aisle was comfortable giving DHS more authority — its failure to perform in the first years of its existence told heavily against it. What’s more, the bill did not precisely define what critical infrastructure would be covered by the new law, giving the impression that DHS would regulate the entire economy. And it was too prescriptive, requiring DHS to approve companies’ cybersecurity plans in advance — a sure way to ensure delays and backlogs.
At the same time, proposed amendments from opponents were ridiculous. To limit the definition of "covered" critical infrastructure, they proposed that only facilities where cyberattack would produce "a mass casualty event comparable to the consequences of a weapon of mass destruction," "mass evacuations of a major population center," or "catastrophic economic damage" would be covered. The Stuxnet worm, for example, would not have been caught under this definition. Amendments like these showed that many opponents of the bill, in and out of Congress, are not serious about cybersecurity.
When the Cybersecurity Act was finally introduced in February, many issues had been fixed. DHS would no longer approve plans in advance. Company CEOs would only need to certify once a year that they had taken steps to secure their networks, using measurable outcome-based guidelines. DHS would not prescribe how they should do this, but simply define outcomes that a company could then use any technology or technique to achieve. This was very light regulation, but for some it was still too much.
Encouraged by business interests, seven ranking minority members from relevant Senate committees rushed an alternative bill into play. The first draft of this alternative bill was simply a copy of early versions of the Lieberman-Collins bill, with the new authorities removed. It, like the "mass casualty" definition, was intended only to block the Cybersecurity Act, not to make Americans more secure — any politician or lobbyist will tell you it is hard to stop something with nothing.
The Revised Cybersecurity Act that reached the floor last week was drastically amended in an effort to secure more support. One amendment that did not survive built on ideas from Senators Sheldon Whitehouse and Jon Kyl. It would have kept a standard-based approach and annual certification, but made it voluntary for all companies except those that the government designated as critical to national security. An example would be a critical defense facility in a remote area that depended on a small electrical company whose networks may be vulnerable to attack.
This approach could have worked. The only requirement would have been an annual certification by CEOs. Critical infrastructure would have been protected. And DHS would not have become an über-regulator; instead, existing regulatory agencies would have overseen compliance with cybersecurity standards.
Alas, the Revised Cybersecurity Act of 2012 relies on voluntary action — for everyone, regardless of their importance to national security. But what everyone does now is entirely voluntary, and more of the same will not improve security. The bill offers weak incentives for companies to certify that their networks are secure. It continues the overreliance on information sharing, accompanied by complicated protections to assuage the privacy community. Regulatory agencies can make cybersecurity standards mandatory to the limits of their existing authorities. The bill simply translates the status quo into legislation — a status quo we all know is inadequate.
Few companies are likely to certify themselves because the incentives in the bill don’t compensate for the regulatory risk this creates. A promise to "study" procurement preferences isn’t much of an incentive — it’s like promising to study whether you should repay someone who lent you money — and in any case, infrastructure companies are often sole providers for whom "preference" is not an incentive. The basic problem — true since 1998 — is there are no incentives sufficient to make companies in most critical infrastructure sectors take voluntary action to bring the security of their networks to the level needed for national defense.
Congress could fix this if it revised the Cybersecurity Act one more time to give the federal government the ability to mandate compliance with reasonable standards when this is needed to defend the nation, but there is probably not enough time before Congress goes out of session to do this. Most observers believe that the United States will only get effective cybersecurity legislation after there has been a crisis and that the country will then overreact, trampling privacy and putting in place rigid requirements. No one on the Hill wants this outcome, but it may be unavoidable.
The fate of cybersecurity legislation is symptomatic of a larger political crisis. Congress knows there is a problem, but cannot agree on a fix. That the cybersecurity bills fall short is not the fault of the sponsors and drafters of the bills, whose goal has always been to protect the nation. They have struggled for years with difficult issues and an intransigent opposition from shrink-government zealots and business groups. Whether these bills become law or not, the task of finding new, effective ways to secure the country’s infrastructure and networks will now revert to the executive branch.
* This article has been updated to reflect the Senate’s vote on Thursday.