SIIA offered its views to the Senate on cybersecurity on Tuesday, in a letter to Sen. Majority Leader Harry Reid (D-NV) in advance of the imminent Senate consideration of cybersecurity legislation.
Our members are dedicated to strengthening the nation’s IT infrastructure and protecting against growing cyber threats. These threats are more sophisticated and targeted than ever and are growing at an unprecedented rate. We know that as a nation, we can’t afford to delay advanced protection and instantaneous remediation.
That’s why SIIA believes that the most effective course of action is to focus in the short term on several critical priorities that enjoy broad bipartisan consensus. These key priorities are:
o Enhance information sharing between the public and private sectors,
o Reform of the Federal Information Security Management Act of 2002 (FISMA),
o Enhance and improve law enforcement tools and criminal penalties for cybercrimes, and
o Encourage increased cybersecurity research.
At the same time, SIIA believes that some complex issues of cybersecurity are not nearly as close to broad consensus. Including them in a comprehensive bill would give them short shrift and potentially slow down the bill’s adoption; most importantly and worryingly, the proposals advanced to date on some of these issues would seriously hinder the very innovation that is our best tool against cyber threats. Securing the Nation’s public and private IT networks will require the attention of Congress, the Administration and industry for the weeks, months and years ahead. It’s not something that can or should be achieved with one piece of legislation. Some of these complex issues include:
o Provide a national framework for data security and data breach notification,
o Designate and protect “covered critical infrastructure” (CCI),
o Clarify the role and authorities of the Department of Homeland Security (DHS),
o Ensure the security of the U.S. IT supply chain, and
o Create incentives for individuals and businesses to enhance their cybersecurity preparedness.
In particular, SIIA would welcome forward movement on a good data security and breach notification legislation. However, House and Senate consideration of this legislation in 2011 revealed many significant differences still needing to be resolved.
While SIIA does not support a heavy regulatory approach to cybersecurity, we do believe that positive incentives have a higher probability of success in two ways: a higher chance of better actual cybersecurity outcomes, and a higher probability of actually becoming law. The private sector responds to incentives, and aligning the interests of the private sector with the outcomes that are in the national interest makes sense. Furthermore, positive incentives (rather than negative ones) are clearly the most effective way to drive higher levels of trust and actual cooperation between the private sector and government – vital things needed to produce real success. SIIA strongly supports exploring positive incentives for individuals and businesses of all sizes as a long-term ongoing approach to securing the Nation’s IT infrastructure.
We are hopeful that the Senate can pass cybersecurity legislation that will quickly address some of the most critical threats to our nation’s IT infrastructure. SIIA members – whose companies work tirelessly to develop and deploy cutting edge cybersecurity solutions – will continue to actively engage policymakers to rapidly enact legislation that promotes technological innovation as the key to better cybersecurity.
David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.