In the past year, U.S. cybersecurity policy has taken significant steps forward, moving away from proposed regulation-heavy regimes to a framework that embraces innovation as central to effective cyber protections. Most recently, President Obama’s cyber executive order (EO) and the House-passed Cyber Intelligence Sharing and Protection Act each focus on voluntary, collaboratively developed standards and best practices to reduce cyber risks to critical infrastructure. And now, the Senate has taken this approach a step further.
The tech sector has advocated consistently that efforts to improve cybersecurity must:
- Leverage public-private partnerships and build upon existing initiatives and resource commitments;
- Be able to adapt rapidly to emerging threats, technologies, and business;
- Properly reflect the borderless, interconnected, and global nature of today’s cyber environment (including global standards development);
- Be based on risk management;
- Focus on awareness; and,
- More directly focus on bad actors and their threats.
Importantly, Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., and Ranking Member John Thune, R-S.D., have introduced the Cybersecurity Act of 2013 which represents another important step that would advance cybersecurity policies that reflect positively on each of these core areas. Their new cybersecurity legislation would take strong steps to protect U.S. citizens and critical infrastructure from cyber threats. While their proposal still must undergo review first by the Senate, it’s a smart, effective approach that is founded on innovation-first principles -- key to any effective cyber shield.
In several areas, the Rockefeller-Thune proposal builds on the efforts initiated with the president’s EO and supported by the tech sector. For instance, the bipartisan legislation would direct the National Institute of Standards and Technology (NIST) to facilitate and coordinate the development of a “voluntary, industry-led set of standards” through cooperative efforts with the private sector. The NIST process is central to the Administration’s cybersecurity initiative. Earlier this month, NIST wrapped up its third workshop on the voluntary cybersecurity framework, a draft of which should be released this fall.
The legislation also would work to strike a balance between personal privacy and cybersecurity protections. As we’ve said before, this balance is key to establishing effective security policy. The Rockefeller-Thune proposal places a high priority on personal privacy and civil liberties protections by placing use-restrictions on any cyber threat information that the private sector shares with the federal government, and having the White House Office of Science and Technology Policy focus federal resources on, “methodologies to protect individual privacy and civil liberties.”
Last, but certainly not least, is the bill’s focus on public awareness of cybersecurity and cyber safety, including consumer education and digital literacy. A rising tide lifts all boats, and given our increasingly networked world, consumers and businesses benefit greatly from greater knowledge and application of good cyber hygiene that minimize risks and vulnerabilities, and help to raise the overall bar for cybersecurity.
Last year, the Senate struggled to achieve strong bipartisan support for major cybersecurity legislation. With the Cybersecurity Act, Senators Rockefeller and Thune have come together as co-authors, putting the legislation at a good starting point to garner greater support from both sides of the aisle. That’s essential if the Senate is to avoid the obstacles that cut short Senate cybersecurity efforts last summer.
This bill has the right formula for success. It’s built on voluntary, collaboratively developed global standards. It embraces innovation-first security approaches. It can be a model for other nations to follow. It balances the need for privacy protections with the urgency of broader cyber protections. It looks at next-generation products and services with robust support for R&D and workforce training. And finally, with Senators Rockefeller and Thune joining in this bipartisan plan, the Senate is poised to thoroughly vet cyber legislation through the normal legislative process.
A hearing today will take a look at ways to improve the legislation, but we think that Senator Rockefeller and Senator Thune have gotten off to a strong start.