Cybersecurity legislation: solution or distraction?

• Author: Erwin, Sandra I.

After three years of debate and intense horse-trading, four major pieces of cybersecurity legislation have collided on Capitol Hill. Each claims to provide definitive policy and legal answers on how the United States should protect itself from crippling cyber-attacks.

The 111th Congress started out with more than 80 pieces of draft legislation, which the 112th Congress whittled down to 35. It may fall on the 113th Congress to take final action.

Each of the resulting four bills has been endlessly revised as committees sought to sponge up a torrent of conflicting bureaucratic and business agendas. Congress and the White House continue to attempt to hammer out a coherent document that can guide the nation forward.

No resolution is expected during an election year. But even if Congress managed to schedule a vote, national security experts worry that whatever emerges from the legislative morass will not answer basic questions about how U.S. government agencies and industry can better fend off network intrusions.

Government contractors, especially those that are responsible for sensitive Defense Department and intelligence information networks, caution that the legislation in its current form will be ineffectual because it puts other priorities ahead of national security. The legislation tries to cover all bases, but it does not go far enough because it fails to make cyber-security an "immediate national security concern," said Rolando R. Sanchez, a litigation and government contracts attorney at Hollingsworth LLP.

Sanchez chairs a defense industry group that has reviewed and commented on the proposed legislation and guidelines.

"Because that basic approach is not being followed, there is no urgency and no definite role for government," he added.

[ILLUSTRATION OMITTED]

In the absence of a sense of urgency, "different groups stall the legislation," said Sanchez. National security interests in this case are at odds with corporate priorities such as warding off government interference. "If cybersecurity legislation were approached as a national security concern," the business interests would adjust accordingly, Sanchez contended. One of the federal government's primary roles is the defense of the nation, he said, so cybersecurity concerns would trump other agendas.

Companies in the defense industry, several of which are Sanchez' clients, worry that theft of sensitive intellectual property by other nations' governments or groups severely compromises...