Continued Absence of Congressional Action on Cybersecurity Policy
On April 3rd, addressing the American Bar Association in New York, former Sen. Evan Bayh (D-Indiana) posited an unsettling theory to the audience with respect to cybersecurity: “It will probably take a cyber attack succeeding in some way that significantly harms the country before we’ll be able to reconcile the debate in Washington about legislation.” Bayh cited the persistent partisan standoff on Capitol Hill as the primary reason for the absence of serious legislation addressing cybersecurity.
For years, government priorities and Administration mandates have called for legislative action by Congress on the ever-growing issue of cybersecurity and data protection with few positive developments, despite numerous reported attacks against financial institutions and critical infrastructure. In lieu of actionable legislation, the Obama Administration issued an Executive Order earlier this year that directed the National Institute of Standards and Technology to work with stakeholders in the government and private sector to develop a framework to reduce cyber risk. While the Executive Order serves as a fair starting point, stakeholders continue to call for firm Congressional guidance to promote security policies.
Currently, there are several pending bills in Congress, the foremost of which is the Data Security Act introduced in January by Sen. Tom Carper (D-Delaware), chairman of the Senate Homeland Security and Governmental Affairs Committee. The Act is in response to several recent, high profile data breaches (e.g., Target, Neiman Marcus) that have threatened the data security of millions of American consumers. Financial Services Roundtable CEO Tim Pawlenty, former Republican governor of Minnesota, is a major proponent of the legislation, pointing to the growing scope and sophistication of today’s cyber attacks. Pawlenty echoed Former Sen. Bayh’s comments about the potential consequences of Congressional indecision on cybersecurity: “I hope we don’t find ourselves a year from now…waking up to a bigger problem, wishing action would have been taken earlier.” Sen. Carper has signaled his commitment toward passing the bill this year and is looking to work with Sen. Tom Coburn (R-Oklahoma), an outspoken advocate of Federal cybersecurity reform and top Republican on the committee, to accomplish this goal.
What is clear is there is a prevalent demand and momentum, from both the government and private sectors, for near-term Congressional cybersecurity legislation. Any legislation put in place will certainly impact the ~$5 billion of estimated Federal cybersecurity spending in FY2015. Specifically, key contractor areas potential legislation will aim to address include: (i) building security into existing IT offerings; (ii) collaborative work between agencies and the private sector to protect critical infrastructure; and (iii) preventing entry of counterfeit or tampered-with products in government networks. Hopefully, it will be proactive legislative decisions and thoughtful collaboration with the contractor environment, and not a reactive response to a major attack, that will spur a renewed Congressional commitment to Federal cybersecurity.