By Mitchell S. Kominsky*
The Threat and Impact of Cyber Attacks
Cybersecurity represents one of the most serious national security threats and economic challenges confronting our country. Cybercrime costs the United States approximately $100 billion annually.[1] At the same time, the quantity and sophistication of cyber attacks continue to accelerate at a frightening pace. From 2006 to 2012, cybersecurity attacks on the federal government alone increased 782%, reaching 48,000 reported incidents in 2012.[2] In a January 2012 hearing before the U.S. Senate Select Intelligence Committee, former FBI Director, Robert Mueller, asserted, “stopping terrorists is the number one priority for the United States, but down the road, the cyber threat will be the number one threat to the country.”[3] Until the United States enacts legislative reforms, however, the country may be ill equipped to adequately manage and respond to these threats.
Based on information shared by technology and cryptology experts, combined with the response by both the private market and the federal government, the cyber threat is quickly becoming the top priority for our national defense apparatus and private enterprise. In the meantime, the valuation of data continues to skyrocket at an unprecedented pace. As a result, we are rapidly entering what many—including Eric Schmidt, Executive Chairman of Google Inc.—have labeled the “Code War,” in which foreign entities race to build up their cyber capabilities.[4] In this environment, even foreign countries not generally considered global powers, such as South Korea,[5] recognize the importance of the impending battles to be fought in the virtual world.
Despite these grave concerns and the sharp increase of security breaches reported in the news almost on a daily basis, Congress has enacted no major legislative provisions relating to cybersecurity since the Federal Information Security Management Act of 2002 (FISMA).[6] The failure to act is even more remarkable when one considers how drastically the world has changed during the past decade. For instance, Apple Inc. first introduced the iPhone to the public only seven years ago, and during the last year alone the technology sector has produced significant advancements in areas such as wearable technology and the rise of artificial intelligence.
Current Debate on Capitol Hill
On the Hill, Members of Congress and Congressional Committees have engaged more intensely in cyber legislative discussions during the past three years than at any time in the past decade. Lawmakers generally agree that comprehensive cyber reforms are necessary to protect both private and government information systems. Yet serious disagreements exist over the details of the development and implementation of policy. For instance, Congressional staff is heavily debating the role of the federal government, the responsibility and capabilities of the Department of Homeland Security (DHS), the role of the private sector, the mechanics of information sharing between private sector and government, standards for protecting critical infrastructure, and cultivating a cyber-security workforce.[7]
The arguments over the details of legislative reforms are amplified by the limitations of Executive Orders. Under current law, including the Electronic Communications Privacy Act and antitrust laws, companies that wish to share information with the government in order to help thwart cyber attacks face civil and possibly criminal penalties. These existing liabilities prevent the swift flow of information from the private sector to the federal government and can only be reversed by legislative action. The Cybersecurity Intelligence Sharing and Protection Act (CISPA) introduced in both the 112th and 113th Congressional sessions attempted to address these liabilities.
CISPA, however, hovers over an interesting dynamic unfolding in a post-Edward Snowden era: the government needs more information to protect information systems and infrastructure, while the taxpayers express genuine concerns about a seemingly diminishing sense of privacy, and industry balances its relationship with consumers and government. After robust debate, CISPA underwent numerous amendments to enhance privacy protections, and the bill expressly requires a “cybersecurity purpose” for the sharing of information. These changes are evidenced by the more than doubling of Democrats who voted for the bill in 2013 (92) from 2012 (42).[8]
Staff and Members on Capitol Hill can and should find areas of compromise. Proposed within the White House’s legislative cyber recommendations from May 2011 (“White House Proposal”), there is widespread agreement on the need to create a uniform set of data breach response laws, which are currently an incoherent state-level patchwork. Likewise, there is general consensus among policymakers that the federal government must bolster its cybersecurity workforce and emphasize formalized education on the issue. Where there is general agreement, Congress should immediately pass reforms. It is unfortunate that in the current political climate a comprehensive package may not receive the necessary votes for passage.
In the continuing absence of legislation, however, the White House promulgated Executive Order 13636 (E.O. 13636) in February 2013. The Administration designed E.O. 13636 to create voluntary incentives for the private sector to share information with the federal government and to create a framework for the protection of critical infrastructure. Although voluntary in nature, the Executive Order potentially has sharp teeth. If Congressional language is not passed, E.O. 13636 may have the impact of creating regulatory or performance-based standards in the Federal Acquisition Regulations standards by articulating de facto regulations for private enterprise, especially in business transactions with the government.
Based on the looming cyber threat, a potential “digital or electronic pearl harbor,” House Committees continue to discuss legislative proposals. Various Committees of the House of Representatives have held 20 hearings in the 113th Session, nearly on pace to meet the 42 cyber-related hearings in the 112th Session.[9] Meanwhile, the Senate has held 7 hearings in the 113th session thus far, compared to the 19 hearings held in the previous session.[10] In the case of a potentially debilitating cyber attack on the United States that requires immediate legislative action, Congressional bodies have created a legislative groundwork to address reforms on cybersecurity policy and our protection of information systems.
Legislation
As threats and overall technology continue to increase in sophistication and size, Congressional legislative proposals have become more outdated. One of the policy reforms needed is the adoption of flexible and forward-thinking language recognizing that technology outpaces the legislative process. Additionally, legislative proposals must take into account the nature of the cyber threat, the role of private sector, and a reasonable balance between security and privacy.
The House of Representatives has chosen to take a step-by-step approach as opposed to the comprehensive view of cybersecurity reforms originally advocated by the White House Proposal. Instead of taking on every issue in one singular bill, the House of Representatives is working to produce a strong vehicle to drive cybersecurity reform by building and assembling legislation one piece at a time. These components include the Cyber Intelligence Sharing and Protection Act (H.R. 624); Federal Information Security Amendments Act of 2013 (H.R. 1163, FISMA 2013); Cybersecurity Enhancement Act of 2013 (H.R. 756); Cyber Economic Espionage Accountability Act (H.R. 2281); the Advancing America’s Networking and Information Technology Research and Development Act (H.R. 967); Critical Infrastructure Research and Development Advancement Act of 2013 (H.R. 2952); National Cybersecurity and Critical Infrastructure Protection Act (H.R. 3696); and Homeland Security Boots-on-the-Ground Act (H.R. 3107).
In April 2013, the House of Representatives turned its attention to four cybersecurity bills that had been marked up and reported by Committees earlier in the year. During this period, labeled “cyber week,” the House voted on and passed CISPA, FISMA 2013, the Advancing America’s Networking and Information Technology Research and Development Act, and the Cybersecurity Enhancement Act. While 11 cyber bills have been introduced on the House side as of early February 2014, the four bills passed by the House of Representatives have been referred to the appropriate Senate Committees and their enactment depends on the Senate.[11]
During the 112th Congressional session, the Senate had been working on similar reforms, but advocated for them in a comprehensive cybersecurity proposal. However, the Senate seems to be moving forward on an even more piecemeal approach, introducing more individually-tailored bills in the 113th session after failing to pass its comprehensive legislation, S. 3414, in the 112th Congressional session. As of this moment, the Senate has introduced ten bills, including the Cybersecurity Act of 2013 (S. 1353), but none have been voted on.[12] If and when the Senate takes up these legislative reforms, the Senate and House will have to agree on what to send to the President for enactment.
FISMA
As a Counsel for the House Oversight Committee, I have been fortunate to be at the ground floor of reviewing the various cybersecurity bills in an effort to ensure that the Legislative Branch is articulating sound information security policy. Congress must take actions to increase cybersecurity protections. The House has made progress towards achieving this goal.
For instance, in April 2013, the House of Representatives passed legislation updating the Federal Information Security Management Act of 2002 (FISMA), which created a security framework for security federal information systems. For years, FISMA compliance, passed to ensure the integrity of federal information systems, had become a “check the box” exercise.[13] Based on the ongoing security lapses, Chairman Issa and staff met with experts, including Chief Technology Officers from the private sector and federal agencies, to learn how to tighten these security vulnerabilities.[14] After carefully evaluating FISMA challenges with technological and legislative solutions, Chairman Issa and Ranking Member Cummings, working together, introduced H.R. 1163, the Federal Information Security Amendments Act of 2013.
To enhance the current framework for securing federal information technology systems, H.R. 1163 calls for automated and continuous monitoring of government information systems.[15] Some federal agencies are beginning to implement these security mechanisms. This is a positive step. Other departments and agencies, however, lag far behind. To address the security incidents occurring on federal information systems, which, in some cases touch the private sector, HR 1163 also ensures that control monitoring finally incorporates regular threat assessments to protect federal information systems.[16]
H.R. 1163 passed the House of Representatives by a vote of 416-0. Overall, the lesson here is that the House of Representatives can find commonality and a way around partisan politics if both parties work together at the initial stages of the bill drafting, communicate, negotiate, and agree on the larger goal. In the drafting of H.R. 1163, Congress did exactly this and the results evidence the success of the bipartisan “chipping away at the iceberg” approach. Now, H.R. 1163 has been referred to the Senate and it is my hope and expectation that the Senate Homeland Security and Government Affairs Committee will take up the bill, pass the reform, and send it to the President for his signature and enactment. Otherwise, federal information security systems will continue to be plagued by outdated protections codified by Congress more than a decade ago.
Role of The Department Of Homeland Security
During the drafting and passage of H.R. 1163, there was a significant discussion over the role of the Department of Homeland Security as it relates to cybersecurity. Experts in private industry and the public sector, including former top-level DHS officers, expressed serious concerns about DHS’s role and operational responsibilities to thwart cyber attacks.[17] Although many experts believe that DHS has a role in preventing cybersecurity incidents, the extent of that role needs to be further examined.[18] On the one hand, experts indicate that placing many cyber operations within DHS would be optimal due to the existence of a structure and programs such as the National Cybersecurity and Communications Integration Center.[19] However, industry has also questioned both the current capacity of the Department to carry out these functions, in addition to noting that the Executive Office of the President should be accountable, in some form, for cyber security operations.[20] If DHS is responsible for implementing legislation and cyber strategy, their actions will likely deeply impact the regulatory landscape for companies in the private sector. For example, the powers given to the Department over standards for determining critical infrastructure operators and operations will create new potentially significant obligations on companies.
The Future of Cybersecurity
Cloud Computing
The cloud computing enterprise has quickly accelerated to the forefront of government contracting and private industry. Both federal and state governments will likely have invested $18.4 billion in cloud computing by 2018.[21] Cloud computing is a “model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable resources … that can be rapidly provisioned and released with minimal management effort or service provider interaction.”[22] Cloud computing servers have proved to be an innovative and cost-savings measure for companies and government agencies. However, some questions regarding the security of the cloud still remain.
While concerns of potential security vulnerabilities in the cloud do exist, the federal government’s $600 million contract for cloud computing systems between Amazon Web Services and the Central Intelligence Agency illustrates that the government is heading further in the direction of utilizing cloud computing systems overall.[23] The Federal Risk and Authorization Management Program (FedRAMP) recently established a program aimed at “provid[ing] a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”[24] FedRAMP will be a critical measure for cloud computing system standards used within the federal government.
With the private sector and government moving towards the increasing use of cloud computing servers, however, each must be careful that the use of these systems protects the privacy of individuals and customer specific data. These privacy concerns are enhanced due to the NSA data collection program revelations unearthed by Edward Snowden and, similarly, high profile security breaches, including the recent theft of data relating to 70 million customers from the Target Corporation.[25] Government and companies therefore should not primarily focus on just responding to breaches, but proactively implement sufficient policies and measures to attempt to thwart security incidents.
Emerging Technologies: Biometrics, Mobile, And Drones
The technological sector is one of the most rapidly changing industries. All of these innovations will create an even greater need for sound and clear cybersecurity policy. In the near future, on a universal basis, individuals will be using biometrics to gain access to airport terminals, buildings, and transactions on and off-line. Mobile devices, including Google Glass and wearable technology such as smart watches, will contain exponentially more valuable information. Also, possibly as early as 2015, the Federal Aviation Administration will enact regulations regarding the use of commercial drones, which may have new capabilities of surveillance and theft of digital information, in addition to being vulnerable to cyber theft themselves.[26] The creation of evolving and innovative technologies must impact the way lawmakers think about cybersecurity policy, the digital world and how to protect information.
Impact of the Code War on Foreign Relations
There is an emerging and growing distinction between the virtual world and physical one. Simultaneously, data continues to increase in value as an integral part of every country’s resources. As the Internet continues to Balkanize, global powers, as well as countries with less influence or resources in the physical realm, are turning to the online world to initiate and deflect cyber incidents. This includes the collection of intelligence, proprietary information, and intellectual property.
Because of their technological capabilities, global powers will be attempting to gain political and economic capital by providing direct or indirect access to cyber weapons to countries with less access to technical expertise, significantly expanding the possible geographic location of a cyber attack. Additionally, non-global powers will specifically recruit the technical expertise to gain become a global force in the virtual world. Thus, the number of cyber threats will increase exponentially.[27] As we enter the “Code War,” a new type of online diplomacy has emerged, as we see unveiling between the United States, China, and other countries. To address these security and privacy concerns on an international basis, global powers will need to come to some consensus and create a cybersecurity-based treaty. At this point, there are no formal talks of forging an international treaty dealing with cybersecurity, although some countries, such as Kazakhstan, have previously advocated for such an agreement before the United Nations.[28]
As a result, the landscape of cybersecurity policy continues to rapidly change and evolve. Policy makers must keep pace of these advancements with responsive and responsible legislative solutions.
Disclaimer: This article presents my personal views and does not necessarily reflect the views of the House Oversight and Government Reform Committee. It is based on my remarks to the Public Contract Law Section’s Cybersecurity, Privacy and Data Protection Committee and Technology Section’s Homeland Security and Information Security Committees of the American Bar Association panel, “Cyber on the Hill” November 7, 2013).
*Mitchell S. Kominsky is Counsel for the U.S. House Committee on Oversight and Government Reform
[1] “Annual U.S. Cybercrime Costs Estimated at $100 Billion,” Siobhan Gorman, WALL STREET JOURNAL, Jul. 22, 2014, available at: http://online.wsj.com/news/articles/SB10001424127887324328904578621880966242990 (last visited Jan. 12, 2014).
[2] U.S. Government Accountability Office, Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented(Feb. 2013) (GAO-13-187)
[3] Testimony, Robert S. Mueller, III, Director, Federal Bureau of Investigations, Senate Select Intelligence Committee hearing, “Worldwide Threat Assessment of the US Intelligence Community,” (Jan. 31, 2012).
[4] Eric Schmidt and Jared Cohen, “The New Digital Age: Reshaping the Future of People, Nations, and Business,” (Alfred Knopf, 2013)
[5] “South Korea to Train 5,000 Cybersecurity Experts,” Kwanwoo Jun, WALL STREET JOURNAL, Jul. 4 2013, available at: http://blogs.wsj.com/korearealtime/2013/07/04/south-korea-plans-a-big-boost-to-cybersecurity-staffing/ (last visited Jan. 12, 2014).
[6] Eric A. Fischer, “Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions,” available at https://www.fas.org/sgp/crs/natsec/R42114.pdf.
[7] This Congressional debate has occurred through the lens of legislative proposals made by various House and Senate Committees, the White House Legislative Proposal, and Executive Order 13636.
[8] “House passes Cispa cybersecurity bill with support of 92 Democrats,” THE GUARDIAN, April 18, 2013, available at: http://www.theguardian.com/technology/2013/apr/18/house-representatives-cispa-cybersecurity-democrats (last visited Jan. 31, 2014); “One Year Later, Twice As Many Democrats Vote for Cybersecurity Bill and Defy Obama,” TECH CRUNCH, April 18, 2013, available at: http://techcrunch.com/2013/04/18/one-year-later-twice-as-many-democrats-vote-for-cybersecurity-bill-and-defy-obama/ (last visited Jan. 31, 2014).
[9] Statistics, Congressional Research Service (CRS), available at: http://crs.gov/pages/Reports.aspx?PRODCODE=R43317&Source=search#_Toc375318016
[10] Id.
[11] Congressional Research Service, available at: http://crs.gov/pages/Reports.aspx?PRODCODE=R43317&Source=search#_Toc375317993
[12] Id.
[13] Supra, note 2.
[14] Id.
[15] H.R. 1163
[16] H.R. 1163
[17] Meetings between Congressional staff and private sector individuals.
[18] “DHS revs up its part of the cyber executive order,” FEDERAL NEWS RADIO, Jan. 31, 2014, available at: http://www.federalnewsradio.com/473/3553526/DHS-revs-up-its-part-of-the-cyber-executive-order (last visited Jan. 12, 2014).
[19] Supra, note 17.
[20] Id.
[21] “Government Sector will Invest $18.48 Billion by 2018 in Cloud Computing,” Saroj Kar, CLOUD TIMES, Jan. 1, 2014, available at: http://cloudtimes.org/2014/01/01/government-sector-will-invest-18-48-billion-by-2018-in-cloud-computing/ (last visited Jan. 12, 2014).
[22] National Institute of Standard and Technology, http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf (p. 6)
[23] “Amazon Wins $600 Million CIA Cloud Deal As IBM Withdraws Protest,” Kevin McLaughlin, CRN, Oct. 30, 2013, available at: http://www.crn.com/news/cloud/240163382/amazon-wins-600-million-cia-cloud-deal-as-ibm-withdraws-protest.htm (last visited Jan. 12, 2014).
[24] FedRamp website: http://www.gsa.gov/portal/category/102371?utm_source=OCSIT&utm_medium=print-radio&utm_term=fedramp&utm_campaign=shortcuts (last visited Jan. 12, 2014).
[25] “Report: Target says data breach affected 70 million customers,” CHICAGO TRIBUNE, Jan. 10, 2014, available at: http://www.chicagotribune.com/business/breaking/chi-target-data-breach-affected-70-million-customers-20140110,0,621285.story (last visited Jan. 12, 2014).
[26] “FAA Has plan for drones, but is behind schedule,” Bart Jansen, USA TODAY, Dec. 2, 2013, available at: http://www.usatoday.com/story/travel/flights/2013/12/02/faa-drones/3805447/ (last visited Jan. 12, 2014).
[27] Supra, notes 3 and 4.
[28] United Nations, News, “At UN, Kazahkstan calls for global cybersecurity treaty to deter hackers,” Sept. 21, 2011, available at: http://www.un.org/apps/news/story.asp/http%3Cspan%20class=%27pullme%27%3EIt%20has%20become%20increasingly%20clear%20that%20disasters%20are%20setting%20back%20efforts%20in%20development%20%E2%80%93%20they%20can%20cripple%20the%20economy,%20destroy%20infrastructure,%20and%20plunge%20more%20people%20into%20poverty%3C/span%3E://www.unisdr.org/www.iaea.org/html/www.wmo.int/html/story.asp?NewsID=39652&Cr=cyber&Cr1=#.Usxhw_s7RqM (last visited Jan. 12, 2014).
Mitchell S. Kominsky is Counsel for the U.S. House Committee on Oversight and Government Reform.