Republicans Welcome the President to the Table on Cybersecurity

• President Obama recently introduced a number of cybersecurity proposals addressing information sharing, data breach notifications, and cybertheft.

• The president embraced important principles necessary to a bipartisan discussion on cyber, though the details need more examination.

• The most effective policy to thwart cybersecurity threats is through a balanced public-private partnership.

The Growing Cyberthreat to Our Economy and National Security

According to a 2013 study by the Center for Strategic and International Studies, cybercrime costs the United States an estimated $100 billion annually. A 2014 survey found that 69 percent of U.S executives are worried about how cyberthreats will affect their company’s growth.

That threat continues to escalate. Incidents of loss, theft, and exposure of personally identifiable information increased by 38 percent from 2011 to 2012. During the first nine months of 2014, there were reportedly 1,922 data breaches, exposing 904 million records. In 2013, there were 46,160 cyberattacks on federal government systems, a 38 percent increase from 2011.

Washington’s sprawling bureaucracy has a vast amount of sensitive information vital to our national security, economy, critical infrastructure, and public safety. Businesses have treasure troves of information about people’s health, finances and other personal issues. Most, if not all, of this data is vulnerable to exploitation.

The Evolution of the Current Cybersecurity Policy Debate

In May 2009, President Obama declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” In the same speech, the president recognized that the United States is “not as prepared as we should be, as a government or country.” After that, his administration did little else to effectively address the threat.

It was another two years before the White House proposed cybersecurity legislative recommendations in May 2011. The Republican-led House of Representatives passed the Cyber Intelligence and Sharing Protection Act, in April 2012, and again in April 2013. These were bipartisan bills, with numerous amendments to augment privacy protections. Forty-two Democrats voted for CISPA in 2012, and 92 voted for it in 2013.

In 2014, Senate Intelligence Committee Chairwoman Dianne Feinstein and Ranking Member Saxby Chambliss finally agreed on information sharing legislation, the Cybersecurity Information Sharing Act, which was reported out of committee by a bipartisan vote of 12-3. That bill was blocked from any further action by Democrat Majority Leader Harry Reid. 

The White House failed to work with Congress to complete cybersecurity legislation, and instead acted on its own, issuing executive order 13636 in February 2013. The administration created some voluntary incentives for the private sector to share information with the federal government and instructed the National Institute of Standards and Technology to create a framework to protect critical infrastructure. That’s a good start, and Senate Republicans support the order’s flexible NIST framework and efforts to cultivate a public-private cybersecurity partnership. However, the framework is no silver bullet, and the order fails to address liability protection for information sharing. More needs to be done, and Congress needs to be involved in doing it by statute.

President Obama Finally Gets Serious about Bipartisan Cybersecurity

Earlier this month, the White House released new legislative proposals on cybersecurity. The president also mentioned in his State of the Union address the importance of the issue.

“If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."  – President Obama, 1/20/15

Senate Republicans welcome President Obama to the negotiating table in order to pass and enact bipartisan solutions. Senate Committee on Homeland Security and Governmental Affairs Chairman Ron Johnson said in response that “the president’s proposal is an important first step in developing [cyber info sharing] legislation.” Chairman Richard Burr of the Senate Intelligence Committee noted the Senate Republican desire to work with the administration: “[w]hen we’ve got a committed White House, I can assure you it’ll be matched by a committed Senate of the United States.”

Voluntary Cybersecurity Information Sharing

According to the White House, its proposal “encourages the private sector to share appropriate cyberthreat information with the Department of Homeland Security’s National Cyber and Communications Integration Center.” The NCCIC will then share the information with relevant federal agencies and with the private sector.

The difference between this version and the Obama administration’s past efforts is that the administration now advocates for some “limitation of liability.” Under section 106 of the president’s latest proposal, “no civil or criminal cause of action shall lie or be maintained in any Federal or State court against any entity for the voluntary disclosure or receipt of a lawfully obtained cyber threat indicator.” While the president deserves credit for recognizing the need to provide protection to the private sector for sharing information, the language in section 106 may be too narrowly tailored to create a fully balanced and effective public-private partnership. Republicans should look to previous bills that passed the full House and the Senate Intelligence Committee for a more effective plan. These bills had significant industry support and provide an excellent foundation for enhancing cybersecurity while maintaining privacy.

Although information-sharing legislation will significantly improve our nation’s cybersecurity efforts, it is not enough. Senate Republicans plan to explore legislative solutions that further incentivize the private sector.

Data Breach Notification

The administration’s recent interest in cybersecurity and technology policy comes in the wake of the high-profile data breach of Sony Corporation. On January 12, the president visited the Federal Trade Commission to speak on data security, privacy, and cybersecurity issues. In his speech, he advocated for a “single strong national standard” on data breach notifications. His proposal would require companies to notify customers within 30 days of a data breach. It also includes a “safe harbor” exemption from the notice requirements under certain conditions.                                              

Today, 47 states and the District of Columbia, Guam, and Puerto Rico have passed data breach response laws. There is bipartisan agreement that this confusing patchwork of rules and standards should be fixed. Some of the congressional debate over the legislation should center on the level of preemption the measure would have over state laws. Section 109 of the president’s proposed legislation includes language regarding the “effect on federal and state law.” However, it also includes language exempting some state activity, potentially diluting and complicating a singular data breach notification standard.

Cybercrime Reforms

The Obama administration has also released a separate legislative proposal focused on “modernizing law enforcement authorities to combat cyber crime.” That bill would broaden prosecutors’ power and enable the “prosecution of the sale or rent of botnets, and would allow courts to shut down botnets engaged in criminal activity such as a distributed denial of service attacks.” According to the White House, the measure would also “expand federal law enforcement authority to deter the sale of spyware.” The White House proposal would reform the Computer Fraud and Abuse Act and update the Racketeering Influenced and Corrupt Organizations Act to apply to cybercrime.

The proposal to enhance prosecutorial powers is a step in the right direction, though perhaps largely one of symbolic value, given the difficulty of identifying cybercriminals and bringing them to justice. Some experts have claimed the proposal could have the unintended effect of potentially criminalizing normal activity such as clicking on a link on Twitter or Facebook, if that link leads to stolen data. Congress needs to carefully examine the language to ensure it finds the best, and most tailored, response.

The Path Forward on Cybersecurity

Senate Republicans intend to work with Democrats and the administration to pass cybersecurity legislation addressing the increasingly sophisticated threat to our economy and national security. There will be bipartisan proposals aimed at enhancing protections for the private sector, government, and consumers. Legislation is expected to address information sharing between the public and private sectors; enhancement of cyber research and development; cybertheft; and building a sufficient cyber workforce. These proposals will create important tools against the cyberthreat, but it’s imperative to continually understand the ever-evolving threat and create a flexible framework.