The Senate Commerce Committee recently began circulating a staff discussion draft of cybersecurity legislation. This Staff Draft is a new, and significantly different approach to cyber than was advanced in the last Congress. Here’s how the staff characterize the bill:
[T]he draft bill consists of four titles:
- NIST-facilitated, industry-driven process for developing a set of voluntary cybersecurity standards for critical infrastructure. These standards will not duplicate or conflict with existing cyber requirements or regulatory processes, and they will be non-regulatory, non-prescriptive and technology neutral.
- Strengthening cyber research and development. Builds on existing research and development programs and ensures better coordination across the federal government.
- Improvement of cyber workforce development and education.
- Increased public awareness of cyber risks and cybersecurity.
Regarding the NIST standards process, one question that we have received in recent months from some stakeholders is whether it would be preferable to wait until NIST completes the Cybersecurity Framework as directed in the February 2013 Executive Order before legislating in this area. This legislation neither codifies nor disrupts that ongoing process, yet with the value of that process in mind, we also believe it is important to begin legislating on this matter now, for two critical reasons:
- First, this draft legislation would enshrine NIST’s non-regulatory, voluntary standards and private sector-driven process, giving businesses certainty both that their lead role in this process will continue after February of next year (after publication of the Framework under the EO), and that the outcome of the EO itself will be voluntary.
- Second, and distinct from prescriptive regulatory approaches that other jurisdictions worldwide are considering (particularly the EU, India, and China, see, e.g., http://www.computerweekly.com/news/2240178256/How-will-EU-cybersecurity-directive-affect-business), statutory enactment of NIST’s voluntary, private sector-driven process and international consensus standards approach for cybersecurity will allow the United States and US companies to take the lead in establishing global principles, norms and standards on cybersecurity for years to come. Otherwise, prescriptive government-centric approaches will likely fill the vacuum.
I will have more to say about the bill in some detail as it moves through the legislative process. But for now, I think it is fair to characterize this as a commendable first step toward compromise. Democrats have given up the mandatory/regulatory approach and also forgone any role for DHS (a red-flag to Republicans). The Republicans, in turn, have given up an insistence on liability protection and enhanced information sharing. Meanwhile, both sides have stepped back from the hyper-incentives that the E.O. might authorize and from the somewhat ineffective SEC enforcement methodology.
What we are left with is what the government and NIST do best — assemble a collaborative, inclusive group for the development of best-practice type standards. I have little doubt that once developed the standards will be the start on the creation of domestic and international norms of behavior.