There are, according to http://www.govtrack.us, 10,602 bills and resolutions currently before the United States Congress. Of those, 79 deal specifically with "cybersecurity." Normally, only about 5% of all of the above bills and resolutions will ever be enacted into law. Of the major cybersecurity bills, perhaps two – CISPA & Lieberman – have better than a one in five chance of being enacted into law this year (during the tenure of the 112th Congress).
Four or five major cybersecurity bills are garnering the most attention at the moment - either because they have passed in either the House or the Senate or because they raise the specter of a dystopian state where "Big Brother" has been enacted into law.
The major bills…
CISPA (H.R. 3523) or the Rogers Act. Status – On Union Calendar. This bill passed in the House on April 26, 2012 and goes to the Senate next for consideration.
The PRECISE Act (H.R. 3674) or Lungren Bill. Status – Currently bogged down in committee.
The SECURE IT Bill (S. 2151) or McCain Bill. Status – Introduced.
The SECURE IT Act of 2012 (H.R. 4623) or Bono Bill. Status – Referred to committee.
The Cybersecurity Act (S.2105) or Lieberman Act. Status - Reported by Committee
To my way of thinking – all of these bills are well-intentioned; that is, they all attempt to create infrastructure and processes designed to protect America’s national Internet-based interests, which clearly have been compromised to some extent. But as my Aunt Ruth used to say, “Good intentions are born in hell.” There are at least four issues that must be resolved before we get a “good” cybersecurity bill enacted – the first two of which (of course) are 100% political:
At least nine committees in the House oversee at least some aspect of cybersecurity. This is nuts. Everyone in the house is after a piece of the cybersecurity pie, and the grandstanding that results leads to bills that overlap, are poorly reasoned or are just bad. There ought to be a single committee in each branch of congress responsible for this issue.
There exists a clear division in both the House & Senate regarding which agency – DHS (a public agency) or NSA (a defense agency) – will ultimately be responsible as a clearinghouse for the sharing of information that all of these bills address. It is clear from historical, functional and accountability data that defense and intelligence agencies operate differently from civilian or law enforcement agencies – particularly with regards to privacy issues.
The definition of “Shared Information” must be explicitly defined. That is; what can be shared, who is authorized to view this information, and what actions can subsequently be taken after this information is processed?
Most importantly, the concept of “Individual Privacy” must be protected. Although not explicitly stated in the Constitution, I believe that it’s an easy argument to make that almost all Americans expect and believe that privacy is a fundamental and protected liberty.
All of the laws above attempt to walk a fine (or in the case of several – broader) line with respect to the difficult issue here: How do we most effectively monitor IP-based communications for “evil-doers” while at the same time refraining from turning any cybersecurity measures into a backdoor wiretapping program, which – I believe – infringes on a fundamental right to privacy? As a side note: This also has implications for the ongoing BYOD controversy, which essentially boils down to what an organization or government can or cannot do to a device that I own – My private device.
**What does this have to do with Fortinet? **
CISPA, as it now stands (amendments are being added almost daily to address some of the privacy concerns), cedes control over shared information to the NSA. I believe that this is wrong. I believe that control over this information must reside in at least a semi-public venue (i.e. DHS), so that several currently unpopular notions within the existing congress such as transparency and public accountability, at least have a chance of being taken seriously. CISPA is more than a little frightening because it has the real potential to erode or circumvent existing privacy laws, so as to make those laws essentially meaningless.
CISPA (less pending amendments):
Has a very broad, almost unlimited definition of the information that can be shared with government agencies notwithstanding privacy and other laws;
Is likely to lead to expansion of the government’s role in the monitoring of private communications as a result of this sharing;
Is likely to shift control of government cybersecurity efforts from civilian agencies to the military;
And interestingly, once this information is shared with the government, it does not have to be used for cybersecurity, but could instead be used for any purpose that is not specifically prohibited.
In summary, all of the bills/act listed above suffer to a greater or lesser degree from either vague wording or the notion of who will ultimately control this shared private, privileged information.
I currently favor the Lungren Bill because I believe that it (as originally written) most clearly defined, “Shared Information,” and placed the control of access to those data in a public clearinghouse under the purview of DHS. However, evidence suggests that this bill, which barely made it out of a markup session on 4.18.2012, will be so gutted that the above two attributes will be removed or made meaningless. Also, this and the other competing bills/acts are clearly part of a bigger power play between the defense –related committees and DHS, which appears to have little stroke in this area.