Does cybersecurity legislation have a chance?

Author:Crooks, Christina

In his first State of the Union address of his second term, I President Barack Obama announced a new executive order aimed at strengthening American cyberdefenses. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy," the president said, calling on Congress to pass legislation.

If past is prologue, the ability of Congress to agree on and pass cybersecurity legislation will be easier said than clone. For more than 10 years, the issue has been discussed in Washington as the frequency and sophistication of cyberattacks have increased. It is complicated, in part, due to the many different aspects of government with a role to play in protecting against cyberthreats.

Currently, all federal agencies have cybersecurity responsibilities in terms of individual systems, but there are also cross-agency responsibilities that involve the U.S. Department of Homeland Security or other agencies. To add further complexity, several congressional committees have a hand in shaping cybersecurity policies. In the U.S. House of Representatives, for example, at least nine committees have jurisdiction over cyberissues. With the vulnerability and responsibility spread around, coordination and information sharing is a vital component of current policy efforts.

A Presidential Priority

The president's Executive Order 13636 instructs federal agencies to develop voluntary standards for important private sector stakeholders. It also requires the government to produce unclassified reports of threats to U.S. companies in a timely manner. The order only goes so far, however, and the administration has requested that Congress pass legislation to encourage companies to share cyberthreat information while also protecting privacy and civil liberties protections.

Though many applaud making cybersecurity a priority, some in the private sector have criticized the order for leaving out explicit protections from potential liability that many businesses feel is necessary to participate in cybersecurity information sharing. Others criticized the executive order for creating a new burdensome regulatory regime.

Still, the decision to make the standards voluntaiy is significant for finding a legislative path forward, since the administration has previously supported measures that involved mandatory standards. During the 112th Congress, the administration backed Senate legislation, the Cybersecurity Act of 2012 (S...

To continue reading