By John Dickson
I recently had the opportunity to participate in a US Chamber of Commerce public policy discussion in Washington DC with Representative Michael McCaul (Twitter: @McCaulPressShop) who is a Congressman from Central Texas and is Chairman of the House Homeland Security Committee. This committee, along with its counterpart in the Senate, helps develop cyber security legislation in the U.S. Although the event occurred the week after RSA, this group of security industry leaders could not have been more different than the typical RSA attendee. For starters, everyone wore suits…
Some additional background is of value here... Rep. McCaul is a cyber security policy veteran in Washington DC. In his new position as the House Homeland Security Committee Chairman, McCaul is now also the House of Representatives point person for any proposed cyber security Federal legislation coming out of the House. As such, he has a lot of power to affect the future of our country, and although he’s not a technology guy per se (he’s an attorney), he has a solid grasp of the critical high-level cyber security and privacy public policy issues that most of us are comfortable letting others handle.
In last month’s policy meeting, Congressman McCaul’s remarks probed many cyber security public policy “touch points” that are frequently covered in the popular press such as:
- In spite of deep cultural issues, can the Federal government do a better job of sharing time-sanitized threat information to commercial companies in a timely manner?
- What can companies do better in order to share this critical information amongst themselves and with the Federal government?
- If companies do share threat and vulnerability information with the government or industry players, can they do so with better liability protections?
- What security standard – if any – should companies be held to?
The well-dressed audience (it was the Chamber after all) listened intently while Congressman McCaul provided key updates regarding the Congress legislative environment in this Congress. His characterization of the last Congress on cyber security legislation (“universes apart”) was probably overly kind. Given the political log-jam leading up to last fall’s election, absolutely nothing was going to get done prior to the election since both parties were reluctant to give the other party a “win” in the run-up to November. However, according to McCaul, things might be different this time.
Also discussed were the realities that much of the nation’s infrastructure, as well its security expertise, resides in the private sector. Couple that with the reality that any legislation passed by Congress may very well be obsolete by the time it reaches the President’s desk for signing and you get a gist of the challenge here.
In spite of the acrimonious political environment surrounding the sequestration, McCaul shared with the audience that cyber security legislation was an area that both parties might just be able to reach consensus. He cited the efforts of Michael Daniel, White House Cyber Security Coordinator, to reach out to certain Congressional Leaders to review the recent White House Executive Order issued by President Obama on February 13th of this year. Certainly the headlines involving nation state threats to our critical infrastructure and the recent Mandiant white paper highlighting China’s activities in this arena have helped drive some consensus on this issue. Perhaps many of our Congressional leaders are looking for an issue – any issue – in which they can find a modest level of agreement.. Rep McCaul’s initial analysis of the Executive Order was it:
- Get solid feedback from the private sector
- Better defines the role of the Department of Homeland Security
- Voluntary standards need further definition
- It leaves open the door to future industry regulation
Rep. McCaul insisted that two things most likely will not happen this session:
- Anything involving the “R Word,” i.e. regulation. There seems to be zero political appetite for turning the screws on American businesses to tighten security standards especially during these uncertain economic times. This was welcome news to everyone in the room.
- Ambitious legislation that helps to define all aspects of information sharing and standards that would have a profound impact across industry. Instead, look for our elected officials to nibble around the edges of these issues and perhaps make incremental gains around information sharing.
However, one of the more interesting moments of the sessions came during the Q&A. A representative of the electrical provider in the DC area posed an intriguing question. When, not if, a sophisticated attacker breaches their utility, which Federal agency should they respond to first, and in what order? When they show up on their doorstep, should they respond to the DoD (Department of Defense), the DHS (Department of Homeland Security), the FBI, NERC (the North American Electrical Reliability Corporation), FERC (the Federal Energy Regulatory Commission), or who else first? McCaul responded that they should speak to DHS first although many members of the audience probably thought the reality would be slightly more complicated.
So, if you are interested in cyber security issues, you should probably spend some small percentage of your time keeping track of the cyber security legislative efforts and policy issues occurring at the national and state levels. It was an eye opening experience for me and I learned a tremendous amount about how large enterprises are approaching this issue after just one session at the US Chamber. The bottom line is that you may not care about policy and politics on a day-to-day basis, but somebody within your organization does -likely someone higher up the food chain than yourself - and some day they might ask you about your interpretation of these efforts. It would be good for yourself and your organization to have an answer ready.
For some more information on budding Federal cybersecurity policy, check out:
- Executive Order for Improving Crical Infrastructure Cybersecurity
- US Chamber of Commerce policy position
Contact us if you have any stories you want to share about how cybersecurity legislation might impact your business.
john _at_ denimgroup.com