New House Cybersecurity Bills Coming, Says Rep. Thornberry
Lawmakers are planning to introduce an unspecified number of new cybersecurity bills “in the next couple of days,” said Rep. Mac Thornberry, R-Texas, at a cybersecurity panel hosted by the Center for Strategic and International Studies Tuesday. These bills will build upon the recent recommendations by the House Republican cybersecurity task force, which is led by Thornberry and overseen by House Speaker John Boehner, R-Ohio (CD Oct 6 p13). Thornberry said the focus on U.S. cybersecurity is “directly related” to job creation and preservation “because everyday somebody reaches into some business’ computer and sucks out intellectual property, they are sucking out jobs from the U.S. economy.”
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Though Thornberry won’t introduce a cybersecurity bill, he was “reasonably optimistic” that some of the other 11 members of the task force are planning to introduce legislation that is “consistent with the recommendations we had,” he said. “We will have a bill referred to more than one committee and you will see the speaker’s office coordinating with committees as far as the steps ahead.”
There is a need for a new, non-governmental entity to help improve cybersecurity information sharing “because of the privacy concerns of government looking at your stuff,” Thornberry said. Currently, the U.S. Computer Emergency Readiness Team (US-CERT) acts as a conduit for information sharing between the government, the private sector and other information sharing and analysis centers (ISACs). But the task force’s proposed “clearing house organization” is a more preferable information sharing conduit between the government and the private sector, Thornberry said. “We need something that is separated from the government and yet secure enough so that government would feel confident to bring its information there as well as the legal protections that are needed for business to bring its information there,” he said.
The task force’s information sharing approach stands in stark contrast to the Obama Administration’s proposed plan which has “much more centralization in the Department of Homeland Security and much more kind of reviewing of the industry or business’ cybersecurity plan,” Thornberry said. “We have concerns about that.” The Administration’s proposal, released in May, said DHS should lead the nation’s cybersecurity response and provide assistance to organizations victimized by cyberattacks (CD May 13 p10). Instead, the clearing house organization would incorporate reports from the departments of Homeland Security, Defense and other federal agencies outside of the government’s domain to provide private sector entities with actionable cybersecurity information.
The task force recommends incentives, rather than federal mandates, as a means to promote greater cybersecurity in the private sector, Thornberry said. “We believe that some encouragement is better than mandates. There should be this menu of incentives to elevate this issue in the consciousness of CEOs all around the country,” he said. Such voluntary incentives include tax credits for cyber investments, liability protections for companies with enhanced security practices, and rewards for participation in the development of cybersecurity standards, among others. Though the task force had considered tying corporate compliance to cybersecurity guidelines to their SEC filings it ultimately rejected the notion in favor for incentives, Thornberry said.
Lawmakers also plan to update and modify 50 or so laws to incorporate modern cybersecurity provisions, Thornberry said. “Fifty-something laws have been identified that need to be seriously looked at, that are out of date because they were written before the Internet and technology had evolved to the point where is today,” he said. In particular the task force recommended legislative changes to the Federal Information Security Management Act (FISMA), the Computer Fraud and Abuse Act, as well as various electronic communications and racketeering laws. “Some of those updates are going to be absolutely essential to allow information sharing, because nearly everyone agrees that has to happen to take action on cybersecurity.”
There are longer-term issues which Congress must also address, such as better cybersecurity education and better training for cybersecurity professionals, said Thornberry. But “what we were trying to do is say what can we pass now in this Congress to make a significant difference in cybersecurity?” he said.