The increasing and nearly daily occurrences of cybersecurity attacks against both public and private sector entities that service the every- day lives of Americans continues to raise the importance of addressing cybersecurity issues head on. Members of Congress feel a level of frustration about the lack of movement on legislation as they seek to balance security with privacy. Members of the House and Senate continue to work together to seek
ways to pass cybersecurity bills in the lame duck session. Member retirements in key leadership roles, such as with Chairman Rockefeller in the Senate and Chairman Rogers in the House, could spur action, as they face a crowded calendar of “must- do” bills. Given the odds against anything being approved this year, anticipate that enactment of cybersecurity legislation will again be a top issue for the 114th Congress. Also expect continued executive action by the President as a means to move the ball forward on this issue while the Congress continues to work through the process. With few exceptions, the key congressional players engaged in cybersecurity– related initiatives in the last Congress will remain the same and will provide some continuity for the public and private sector participants who have been closely following the process.
Efforts focused on increased cyber information sharing and associated liability protections will continue in both chambers, with the expectation that leading Members in both the House and Senate will again introduce bills in the various committees. With a new chairman at the helm of the House Permanent Select Committee on Intelligence, the approach pursued by the leadership of the committee may vary given private sector privacy concerns and continued White House opposition to the proposed Cyber Intelligence Sharing and Protection Act (CISPA). The Senate has moved forward
with information sharing legislation in a bipartisan fashion in the past. Anticipate that approach will continue.
Anticipate introduction of bills in the 114th Congress similar to those we have seen in the past, such as those focusing on the need to strengthen the capabilities of the U.S. Department of Homeland Security (DHS) in the area of cyber—maintaining a civilian agency as a partner to the private sector. Others will include a focus on codifying the
mandate of: the National Cybersecurity and Communications Integration Center (NCCIC), strengthening the hiring abilities of DHS to build and maintaining a cybersecurity workforce, increasing investments in cybersecurity research and development, and updating the Federal Information Security Modernization Act (FISMA).
The annual appropriations bills will also continue to be a vehicle for moving cybersecurity-related provisions, including language that restricts purchases from specifically targeted Chinese entities based on supply chain security issues that were included in the House’s FY 2015 Commerce-Justice-Science appropriations bill.
At the end of the day, it is clear that the Obama Administration will continue to use its executive authority to address cybersecurity concerns and will remain actively engaged in the implementation of the February 2013 Cybersecurity Executive Order (EO) 13636 and Presidential Policy Directive (PPD-21). The release of the Cybersecurity Framework in 2014, almost exactly a year from the issuance of EO 13636, and the recently issued EO on data security, signals that other EOs may be in the works and should be closely watched.
Since the issuance of EO 13636, almost every department and independent agency has taken an active role on cybersecurity issues in the last nearly two years as concerns grow over the impact of cybersecurity attacks on the sixteen Critical Infrastructure (CI)
sectors defi in the EO. The Securities and Exchange Commission (SEC), for example, has begun spot checks of companies to ensure adequate fillings on cyber risk. The Federal Trade Commission (FTC) has filed 53 lawsuits against hotels and retailers using its consumer protection authorities, and is seeking greater enforcement and rulemaking powers from Congress. The Federal Communications Commission (FCC) has begun eff to look at ways to address the lack of existing cybersecurity regulations on the communications sector. It is safe to say that there will be an increasingly activist oversight role by every one of these agencies in the last two years of the Obama Administration.
On the international front, concerns in a post-Snowden world have tied together the bilateral and multilateral negotiations on cybersecurity and privacy. The European Union is working on its own cybersecurity regime under the Network and Information Systems (NIS) Cybersecurity Directive along with the European Program for Critical Infrastructure Protection. The North Atlantic Treaty Organization (NATO) recently issued a statement about rules of engagement on a cyber-attack. The Russian and Chinese governments recently reaffirmed the principle of national sovereignty in cyberspace. Expect more discussion in the international realm on cybersecurity and privacy issues as governments focus more attention on the balance needed between security and