Cybersecurity Legislation Campaign

Congress is home for two weeks dealing with fundraising and constituent services so nothing is ‘getting done’ on the cybersecurity legislation front, at least officially. Looking at happenings in the press it is fairly obvious though that there is a lot of political prep work being done to help grease the way for some sort of legislation in the not so distant future.

Cyber Legislation Outlook

First off there’s a very interesting article over at Politico.com looking at the prospects for the passage of cybersecurity legislation in the coming months. There are two points that I think need to be added to that commentary; first Sen. Reid (D,NV) has been promising imminent cybersecurity legislation consideration in the Senate for over two years now without success and more importantly (for readers of this blog in particular) none of the bills under consideration will have any real impact on control system security issues.

The interesting thing about this article is that it is mostly written from the perspective of the Administration’s interest in cybersecurity legislation with only a few unattributed quotes from GOP congressional staffers and the inevitable quote from Chairman King (R,NY). I don’t know anything about the two authors of this piece but it sounds like the article idea came from someone inside the Administration. Not that this is a shill piece by any stretch, but someone in the executive branch is making sure that the issue stays in the press.

ICS-CERT and the Threat

A second article, this one over at TechWorld.com, continues the current vague-threat reporting from the folks at DHS. This one looks at the infrastructure control systems (water and electric receive the biggest play here) that are ‘under daily cyber attack’. Once again DHS is sounding the alarm without providing much in the way of details.

Even when providing numbers, the information is unactionably thin. For instance the article quotes Sanaz Browarny, chief, intelligence and analysis, control systems security program at DHS, as claiming that of the 17 ‘fly-away’ ICS-CERT responses last year “11 of the 17 incidents were very ‘sophisticated’, signaling a well-organized ‘threat actor’”. In a tech publication one would have liked to see a little more detail about what kinds of systems and attacks were actually involved in the ‘sophisticated’ incidents.

Congressional Legal Analysis

The third article that is of interest to those of us concerned with cybersecurity legislation is a brief piece over at FederalNewsRadio.com. There is not really much in the article besides a link to a Congressional Research Service (CRS) report on some of the legal issues associated with some of the cybersecurity bills currently being considered by Congress. These CRS reports are typically requested by Committee Chairs or Ranking Members as an aid to the deliberation process.

This report was written by five legislative attorneys that work for the CRS. It examines a number of the legal issues that have been raised about the current batch of cybersecurity bills that Congress may actually get around to acting upon during this session. The specific issues include:

• Liability concerns;

• Protecting proprietary and confidential business information;

• Sharing cybersecurity threat information; and

• Preemption issues.

These issue discussions are very interesting and will probably be ignored during Congressional debates. As with most things dealing with legal issues, a good lawyer can argue just about any side of a legal issue. In the final analysis, the only legal argument that really counts is a Supreme Court majority opinion and those can frequently be used to argue both sides of a case.

Moving Forward

Probably the most noteworthy thing about these articles is that there appears to be an effort being made to keep these issues in the public. I kind of suspect that we will be seeing some sort of action on one or more of these bills in the near future. Unfortunately, I don’t think that any of these bills will reach the President’s desk before the first week in November; it’s just too late in a presidential election year for a subject as controversial as this.