SUMMARY: CYBER LEGISLATION

Issues Briefing: Reporting on Cyber Security

Kristen Verderame July 13, 2012

Pondera International

TABLE OF CONTENTS
Overview of Issues Current Status of Legislation Senate - detail House detail

OVERVIEW OF ISSUES
Information Sharing
Between private sector and government Whether bidirectional sharing Voluntary or mandatory Through DHS or independent cyber hubs

Critical Infrastructure

How to define, who to include How to protect mandatory vs. voluntary Certifications / audtis Types of incentives

FISMA Privacy Data Breach Liability Protection Supply Chain Workforce R&D

Jurisdiction and structure who owns, who does what

DHS having the main role, or dispersed among agencies The role of NSA Operational vs. budget vs. strategy ownership

CURRENT STATUS OF CYBER LEGISLATION

Senate: Has taken a more comprehensive approach (all issues in one bill) Lieberman/Collins bill had the most traction until late fall At that time, McCain and a small group of Republican senators introduced a competing bill that does not address critical infrastructure, making the discussions partisan Current discussions underway to work out a compromise, led by Sens. Whitehouse, Kyl, Graham, Blumenthal Reid has stated commitment to bring Lieberman/Collins to the floor in July looks like the last week of July House: Took a piecemeal approach (each issue in separate bill) Passed four separate bills in April during Cyber Week Bills included Information Sharing, FISMA, R&D and NITRD Main bill dealing with DHS (sponsored by Cong. Lungren) did not go to the floor

SENATE
Key elements of compromise approach

KEY ELEMENTS OF COMPROMISE

I. Scope: Subset of CI identified by DHS, DOD, DOC, sectorspecific agencies with private sector input (Task Force) This subset may participate in the Cybersecurity Protection Program (CPP) If they do, they get liability protection II. Process: Standards developed by Task Force (outcome-driven, and technology-neutral) Self-certify Audit of subset of those who self-certify; good for 3 years

COMPROMISE contd
III. Audits: conducted by private sector, as authorized by DHS
Definition is IV. Protections: only if cyber attack critical here! Liability Government contracts considerations Security clearance Exclusions: gross negligence, willful or reckless; fraudulent or willful misconduct
7

HOUSE
Individual summaries of 4 bills passed in April

HR 3523 Cyber Intelligence Sharing and Protection Act

Sponsored by Chairman Rogers (R-MI) and Ruppersberger (D-MD)

INFORMATION SHARING: CISPA

Select Committee on Intelligence

Congress should allow for new entities to:

Act as a clearing house of information
Government and private sector to plug in information and combine for ISPs and others to use to block attacks SPII removed and sanitized before sharing back to government

Disseminate real-time information NOT after the fact DHS to become the hub for USG and information sharing; all information given to government will be copied to DHS Separate from government but perhaps partially funded, envision a number of private sector entities to have this role operate outside of government Complete transparency to all parties on how info shared and for what purpose Annual review by an independent Inspector General re: privacy DIB pilot to be a model; coordinate with other existing efforts Limited safe harbors for private sector for liability
9

HR 4257 Federal Information Security Amendments Act of 2012

FISMA REFORM
Sponsored by Chairman Issa (R-CA)

Oversight and Gov Reform Committee

Provides for automated and continuous monitoring Requires regular threat assessment instead of periodic check the box reviews Does not mandate anything re: private networks Stresses the need for public-private partnerships

10

HR 2096 Cybersecurity Enhancement Act of 2011 Committee on Science, Space & Technology
Sponsored by McCaul (R-TX)

R&D

Coordinates R&D activities conducted across the federal agencies to better address evolving cyber threats Reauthorizes basic cybersecurity research programs at the National Science Foundation (NSF), and strengthens the efforts of the NSF and the National Institute of Standards and Technology (NIST) in the areas of cybersecurity technical standards and cybersecurity awareness, education, and talent development
11

HR 3834 Advancing Americas Networking and Information Technology Research and Development Act of 2012

NITRD

Committee on Science, Space & Technology

Sponsored by Chairman Hall (R-TX) and others, bipartisan

Reauthorizes the Networking and Information Technology Research and Development (NITRD) Act The NITRD program, now in its 20th year, represents the federal governments central R&D investment portfolio for unclassified networking, computing, software, cyber security, and related information technologies The NITRD program focuses on R&D to detect, prevent, resist, respond to, and recover from actions that threaten to compromise the availability, integrity, or 12 confidentiality of computer-and network-based systems.

Questions?

kverderame@ponderainternational.com +1 703 980 7690 Kristen Verderame July 13, 2012

Pondera International