The most recent cyber-sharing legislation is a bipartisan bill from Sens. Dianne Feinstein, D-Calif., and Saxby Chambliss, R-Ga. but the Senate would need to act on it by August. (Getty Images)
It’s been a long and largely unfruitful journey to get a cybersecurity bill passed in Congress thus far, but that doesn’t mean lawmakers are ready to give up yet. In fact, some say they are more encouraged than ever.
The latest effort in cyber legislation, a bipartisan bill from Sens. Dianne Feinstein, D-Calif., and Saxby Chambliss, R-Ga., seems to offer a glimmer of promise, but as Rep. Mike Rogers, R-Mich., previously warned, time is quickly running out.
Rogers recently said that the Senate would need to act by August to gain any meaningful traction on a cyber bill. On June 12, he said a recent meeting with Feinstein, Chambliss and Rep. Dutch Ruppersberger, D-Md., had left him hopeful.
“That was one of the most productive meetings I thought we had this year on this issue, and I am back to being extremely optimistic that we are going to get a cyber sharing bill this year,” Rogers said at an American Enterprise Institute event in Washington. “I am very, very encouraged by this meeting yesterday.”
Those on Capitol Hill are not the only ones heartened by recent developments in cyber legislation. The Feinstein-Chambliss bill itself is bringing some optimism after several years of failed attempts, in part because it offers new measures that appeal to many, including members of industry.
In addition to improving information-sharing between private companies as well as between the federal government and the private sector, the new bill, which has yet to be formally introduced, also empowers companies to act to defend their own networks. Up until now, operators of private networks largely were legally unable to do much more than track and report anomalous behavior.
A section in draft legislation of the bill outlines authority for private-sector entities to operate countermeasures on their own networks and on the networks of other private and public networks for which they are given permission.
“It basically says you have [the] right to actually defend data you have if it’s of a personal nature or if it’s intellectual property, and that has never been codified as far as I know,” said Mark Seward, senior director of public sector at Splunk, an IT firm based in San Francisco. “It gives you the ability to put together active defenses – not attack back per se, but to lead an attacker down a path that is not somewhere they want to go.”
For example, if a company spots an attacker “crawling” its website looking for vulnerability to exploit and gain access to data, the company’s security team could defend itself by luring the attacker onto a decoy website that allows the team to observe the attacker’s patterns and prevent them from gaining access, Seward said.
The countermeasure piece of the proposed bill is the latest tool that lawmakers and cybersecurity proponents alike hope will strike a balance between going far enough to be effective while still maintaining privacy and civil liberties. That balance has proved elusive enough so far to sink multiple bills over the course of several years, to the frustration of those working to protect against a growing cyber threat.
“Understand this: For us in the private sector who are trying to make informed risk-management decisions, the hang-up often times is this whole need-to-know thing, worries about classification and so forth,” Robert Dix, vice president of Juniper Networks, said at the AEI event. “What we care about is tactics, techniques and procedures. Sources and methods aren’t as relevant to us … what can we learn from past experience that we can share broadly across the stakeholder community?”
That chasm between policy in Washington and action on the ground underscores a bigger problem the U.S. faces as leaders grapple with how to regulate the fast-paced and rapidly changing national security threat posed in cyberspace.
“The cyber question is part of a larger question in terms of cybersecurity of how it is we use the organs of state power, which were hardwired in this country in 1947, to deal with threats emanating from powerful ill-willed nation-states, and now use those organs of state power to defend against these threat vectors that do not come from nation-states and in fact come from failures of nation-states,” said Chertoff Group’s Michael Hayden. “We’ve underestimated how big of a deal this is, period.”