At final hour, Congress passes reasonable cybersecurity legislation


In spite of a feeble legislative term, including the particularly devastating failure of surveillance reform, the 113th U.S. Congress pushed through four positive last-minute cybersecurity bills over the past two days. President Obama is soon expected to sign these bills into law. The new cyber measures increase government transparency and Congressional oversight of federal cybersecurity efforts, while expanding coordination between civilian agencies. Access supports the efforts of Congress to pass cybersecurity legislation and hopes the momentum will lead to more significant legislation for the 114th Congress.

Congress has been understandably motivated to pass cybersecurity legislation. In the second half of 2014, intruders hacked into the State Department, White House, Post Office, and National Oceanic and Atmospheric Administration. The full extent of damage from these breaches is not yet clear, although personal information, including customer telephone numbers and email addresses, were lost in the Post Office breach. The Post Office has so far failed to provide clear details of what and whose information was lost.

This is why the most significant reforms are in the Federal Information Security Modernization Act, which compels agencies to notify users affected by a data breach. Notification requirements push organizations to better understand breaches, instead of pretending they don’t happen. They also allow users to learn about the risks to their personal information posed by online criminals and governments conducting cyber espionage. They can then take steps to protect themselves and seek remedy. Post office customers, for example, could choose a courier better suited to protect their privacy and security.

All four cybersecurity bills expand civilian cyber authority by empowering the Department of Homeland Security (DHS). The alternative to DHS leadership over cyber issues, as we recently addressed, is typically military control. The National Security Agency’s cyber objectives, for instance, are opaque and involve sacrificing security in order to maintain surveillance capabilities. The Cybersecurity Workforce Assessment Act and Border Patrol Agent Pay Reform Act require assessment and research of U.S. cyber practices, including expansion of the government’s cyber workforce. The National Cybersecurity Protection Act authorizes the DHS’ National Cybersecurity and Communication Integration Center to coordinate and assist in cybersecurity efforts between federal, state, local, and private entities.

Notably, Congress passed these four pieces of cybersecurity legislation without the inclusion of a harmful information sharing regime, which Access opposes. We would still like to see notification requirements for data breaches at private entities, a legal remedy for the new federal breach requirement, and better research and educational tools. But this is a good first step. We still need to fight to clearly demarcate agencies charged with protecting our data from our intelligence agencies, and to provide greater statutory authority for oversight mechanisms. If there’s one grueling lesson from Congress in 2014: digital rights may come, but don’t expect them to come early.

image credit: ryoji ikeda on creative commons