Prospects Iffy for Cybersecurity BillsAnalyzing Key IT Security Legislation Facing House Votes
Still Lewis, one of the foremost experts on federal cybersecurity lawmaking, expresses cautious optimism that legislation to protect the nation's vital networks could get enacted this year, despite the growing partisanship engulfing IT security legislation, an issue that once had wide, bipartisan support.
In an interview with GovInfoSecurity and Information Security Media Group, Lewis provides his analysis on key bills that are expected to come up for a vote in the House, including the:
- Cyber Intelligence Sharing and Protection Act, or CISPA, that encourages cybersecurity information sharing between government and business, and that critics fear would erode personal privacy.
- Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act, or Precise Act, that would encourage the nation's mostly privately owned critical information infrastructure to secure those vital networks they operate.
- Federal Information Security Amendments Act, which would update the Federal Information Security Management Act, the law that governs federal government IT security.
A fundamental difference between most Democrats and Republicans is the role of government in establishing security standards on the privately owned critical IT infrastructure that the nation depends on to function. Democrats favor some form of regulation, though not as stringent as some seek, while Republicans generally askew regulations in favor of voluntary measures to protect crucial, private networks. Those differences make it tough for significant cybersecurity legislation to be enacted this year.
"Both sides of the aisle understand the significance of the problem, but if I were to do this again, I would not do it in an election year," Lewis says. "Now, we essentially have run out of time. There's something bigger going on - the presidential election, the congressional elections - and that will displace any serious work on cybersecurity."
Sliver of Hope
Though the House bills likely won't make it through the Senate, Lewis says, the upper chamber's Cybersecurity Act of 2012 could serve as a vehicle for lawmakers to get some form of IT security legislation enacted this year. Why, as the political divide on cybersecurity intensifies, would Lewis be hopeful? Lawmakers know of cyber's dangers, he says.
Lewis points out that the chairman of the Joint Chiefs of Staff, Army Gen. Martin Dempsey; National Security Agency Director Army Gen. Keith Alexander; and Homeland Security Secretary Janet Napolitano have briefed lawmakers as recently as this past week on the cyberthreats the nation faces.
"They have all gone up and said, 'Look, here's the problem we're facing and here's what we're doing now in which the voluntary approach isn't working. We need to change what we're doing,'" Lewis says. "Now, I think that's beginning to have a little bit of an effect.
"One of the reasons I'm confident the bills will pass is that there is probably some desire for people that will say, 'You know, we passed a bill, so when something bad happens, it's not our fault.' You're seeing an effort to persuade people that we must take serious action."
Lewis is a senior fellow and director of the Technology and Public Policy Program at CSIS, where he focuses on technology, national security and the international economy. In 2008, he served as the staff director of the Commission on Cybersecurity for the 44th Presidency, a bipartisan group of lawmakers, government and business IT practitioners and cybersecurity policy experts who proposed an approach to cybersecurity adapted by the Obama administration and adopted in the provisions found in many cybersecurity bills before Congress.