Rep. Langevin Open to Piecemeal Cybersecurity Legislation If Comprehensive Bill Proves Unrealistic
Rep. James Langevin, D-R.I., prefers a comprehensive bill, rather than one that is piecemeal, to establish a cybersecurity policy, he said Wednesday at a Brookings Institution event: “I'd like to see a major piece of legislation make it through the Congress this year.” However, “I don’t know how realistic that is,” said Langevin, who co-chairs the House Cybersecurity Caucus and formerly chaired the House Homeland Cybersecurity Subcommittee: “We're waiting to see what the Senate will do.” The important thing is to get something done this year, he added.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Langevin introduced his bill, HR-1136, this year, which calls for creation of a National Office for Cyberspace (WID March 18 p4). If Republican-preferred piecemeal legislation passes, it should include the establishment of a cybersecurity director and giving more authority to the Department of Homeland Security to work with a cybercoordinator to protect critical infrastructure, he said: “At this point, I'll take what we can get."
He approved of the House Republican Cybersecurity Task Force’s policy recommendations on cybersecurity, which suggest that Congress offer voluntary incentives for companies to invest in better cybersecurity (WID Oct 6 p6). He said he’s open to considering liability protection and tax credits. But “it would have to be in exchange for adopting tough standards,” he said. There should be a balance between incentives and regulation in “certain sectors that haven’t taken security serious enough and need more federal oversight in this area."
In addressing where tax credits and incentives for cybersecurity measures fit into the work ahead for the Joint Select Committee on Deficit Reduction, Langevin said dollars must be spent wisely. “We have to make sure we're not duplicating our efforts,” he said, but “the cost of inaction, I think, can be greater than acting."
Within the market, there is a lax attitude toward cybersecurity and a lack of appreciation for good cybersecurity, Langevin said. Although the SEC requires companies to report network breaches that could affect marketplace earnings or share price, “the definition is so vague” and “most of the breaches are never even reported.” The SEC is bringing more clarity to that, but “there should be mandatory reporting,” he said.
Langevin also supports the notion of developing a “dot-critical network.” This would be a much-more-closed network with certain people needing to have access, he said. He backed either a reduction in anonymity when getting onto critical infrastructure or creating a “separate, more closed network in the same way we protect the .mil network by having their own domain."
"A portion” of the “dot-critical” suggestion is an expensive, counter-productive idea, said Michael Nelson, an Internet studies research associate at Georgetown University. “To throw out thirty years of Internet technology and think we can create better security in a brand new network and keep that network isolated from any bad viruses or malware, I think, is a fantasy.”
A piecemeal approach to legislation is a more timely solution, some cybersecurity experts said during a panel. “There are a lot of areas already we can focus on rather than trying to do the grand plan,” said Nelson. There’s no need for it, said Jaak Aaviksoo, former defense minister of Estonia. He said there’s always an “international dimension” in cyber attacks, like the 2007 breaches that affected several Estonian organizations. “It’s too complicated and we don’t have that much time.” Companies should have more pressure on them to notify and increase cybersecurity, Nelson said. Also, Congress needs to clarify jurisdiction, he said: “There are a lot of overlapping agencies [with] different people thinking they have the lead.”