National Cyber Security Month: Already Several Notable Developments on Federal Cybersecurity Policy
Well, we’re halfway through another National Cyber Security Awareness Month and there have been several important developments on cyber security policy issues emanating from our nation’s capital city.
On October 4th, the House Permanent Select Committee on Intelligence held its first open, full committee hearing on this topic during the 112th Congress. Titled “Cyber Threats and Ongoing Efforts to Protect the Nation”, the hearing featured testimony from General Michael Hayden of the Chertoff Group (a former Director of both the CIA and NSA), Kevin Mandia, CEO of MANDIANT, and EMC’s own Art Coviello, Executive Chairman of RSA. There was a lot of discussion about economic cyber espionage and what can be done to address this problem and other cyber challenges, including: changes to government policy; what can be done to create more effective ecosystems between the public and private sector; and the necessary adjustments to risk management and technology strategies. The hearing was well attended by both Republican and Democrat Members of the Committee and I think succeeded in helping to educate policymakers and the public about the seriousness of the cyber security challenges that our society faces. To review the statements for the record at the hearing by the Committee Chairman and Ranking Member and the expert witnesses, click here.
On October 5th, the House of Representatives Republican Cybersecurity Task Force issued recommendations for action by the U.S. Congress. Calling cyber a “major national security issue” and stating that cyber is “connected to our economy and job creation”, Task Force Members called for a sense of urgency and said that targeted legislation could help. In a blog post on his Congressional website on October 11th, the Task Force Chairman, U.S. Representative Mac Thornberry (R-TX) stated that “we simply can’t allow legislative gridlock to continue on this issue” and that “we cannot let the quest for a perfect bill prevent a good one from passing”. The report included a very reasonable legislative framework to act on. Will the U.S. Congress finally move to update legal authorities and outdated laws and remove other barriers to address this real national and economic security issue? I’ll quote from Congressman Thornberry’s October 11 blog post again:
“Every day intellectual property – things like blueprints, formulas, test results, and business plans – are being stolen from American businesses small and large. When American ideas are stolen, American jobs are stolen. And our economic security, as well as our national security, is undermined. Whatever our differences on other issues, this is one area where Congress and the President need to act – now.”
There were also at least two other important policy developments on cyber security in recent days.
On October 11th, the Business Roundtable (a Washington, DC-based business group of America’s leading CEOs) released a strategy to “protect U.S. economic and national security from growing global cybersecurity threats.” The report, titled “Mission Critical: A Public-Private Strategy for Effective Cybersecurity” makes specific recommendations for how the government and private sector can work together to make needed cyber security improvements.
On October 13th, the Division of Corporation Finance at the U.S. Securities and Exchange Commission (also in Washington, DC) issued guidance regarding disclosure obligations to cyber security risks and cyber incidents. The guidance states that “a registrant may need to disclose known or threatened cyber incidents to place the discussion of cyber security risks in context.” In a statement issued on October 13th, U.S. Senator John Rockefeller, Chairman of the Senate Commerce, Science & Transportation stated: “The guidance fundamentally changes the way companies will address cybersecurity in the 21st century.” This is a major development in my view.
All these developments will likely have some influence on the national debate happening right now on what policies and laws need to be changed in order to make improvements to our nation’s cyber security posture. Stay tuned as the process unfolds.
