Digital Policy Roundup

FTC Calls for Legislation to Regulate Data Brokers

On Tuesday, the Federal Trade Commission (FTC) released its long-awaited report resulting from an extensive study of “data brokers.” The report, entitled “Data Brokers, a Call for Transparency and Accountability,” presents the findings of the study, and provides recommendations for both legislation and industry best practices. Among the legislative recommendations, the Report calls for substantial transparency requirements to be placed on both first and third party companies, and requirements for consumers to be able to access the correct their records, and to opt-out entirely. In response to the Report, SIIA issued a statement expressing support from increased transparency and consumer access, but cautioned a legislative approach in favor of industry-led self-regulation. SIIA’s statement follows related advocacy, including recent comments to the FTC regarding “alternative scoring” and a 2013 white paper, highlighting the effectiveness of the current Fair Credit Reporting Act regulatory framework to prevent harm to consumers.

Surveillance Reform Legislation Passes House After Key Amendments

Last Thursday, the House passed the USA Freedom Act by a vote of 303-121, but only after several last minute amendments that limited the amount of transparency able to be provided by businesses and expanded a critical definition that, instead of entirely blocking the government’s ability to collect bulk amounts of Internet user’s data, the new bill could potentially allow federal agents to gather information broadly. The measure now moves to the Senate, where Judiciary Chairman Patrick Leahy has promised to make changes to strengthen these areas. While the legislation represents a significant step forward in the efforts to reform the National surveillance laws, there will be continued debate in the weeks ahead on these key details. In response to the bill’s passage, SIIA issued a statement affirming that surveillance reform legislation is an essential part of restoring the public trust and providing support for U.S. businesses internationally, and committing to ensure that the bill does not inadvertently provide for bulk collection of user data on the Internet.

White House Calls for Voluntary Cyber Action, Not Regulation

In a blog last week, White House Cyber Czar Michael Daniel declared that no new cybersecurity regulations are needed at this time, instead stating that “existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information.” Specifically, the Administration’s internal review by several key agencies – DHS, HHS and EPA – reached the conclusion that existing laws and regulatory authority are sufficient, particularly in light of the voluntary framework. Earlier this year, SIIA hailed the NIST Cybersecurity Framework for creating a voluntary approach to cybersecurity that would preserve IT innovation and technology neutrality, contrasting this with an inflexible regulatory approach, and we applauded the recent Administration conclusion last week.

House adds DOTCOM Bill to National Defense Authorization Act

On May 21, 228 Republican and 17 Democrats voted in favor of the DOTCOM bill with 177 members opposed. The Bill would oblige the GAO to provide a study to Congress within one year of the Commerce Department receiving a proposal on how to transition the Internet Assigned Names Authority (IANA) functions to a multistakeholder managed group, thereby relinquishing the last vestige of U.S. government “control” of the Internet. Currently, the Internet Corporation for Assigned Names and Numbers (ICANN) is contractually responsible (with Verisign doing the work) to the Commerce Department for managing these functions. The study would oblige the GAO to write a report on the following topics:

[Read more...]

White House Cyber Review Calls for Voluntary Action, Not Regulation

Earlier this year, SIIA hailed the NIST Cybersecurity Framework for creating a voluntary approach to cybersecurity that would preserve IT innovation and technology neutrality, contrasting this with an inflexible regulatory approach.  We are therefore very pleased today that the Administration’s review by several key agencies—DHS, HHS, EPA—reached the same conclusion.  In a blog this afternoon, White House Cyber Czar Michael Daniel concluded that no new regulations are needed at this time, instead stating,

“existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information.”

We couldn’t agree more.  SIIA and our members remain committed to promoting the Framework which leverages industry-led standards, and creates effective, flexible best practices for cybersecurity preparedness.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

SIIA Applauds DOJ and FTC Guidance that Sharing of Cybersecurity Information Does Not Violate Antitrust Laws

Companies have sometimes been reluctant to share cyber threat information due to concerns over violating antitrust laws. Last Thursday, the Department of Justice (DOJ) and the Federal Trade Commission (FTC) addressed these concerns by issuing a joint policy statement affirming the legality of cybersecurity information sharing under the antitrust laws. The Agencies (DOJ and FTC) acknowledged that information sharing is critical to mitigating the severity and frequency of cyber attacks and therefore issued guidance.

SIIA applauds the Agencies’ commitment to protecting American enterprise and advocating for the necessary information sharing to combat the increasing number of cyber threats. This is an important step forward.  Congress can add to it by passing legislation that would provide a safe harbor against the risk of frivolous lawsuits for companies that share cybersecurity threat information.

Deputy Attorney General James M. Cole in remarks at the Pen and Pad Briefing had this to say,

“Some companies have told us that concerns about antitrust liability has been a barrier to being able to openly share cyber threat information with each other. We have heard you. And speaking on behalf of everyone here today, this guidance responds to those concerns, lets everyone know that antitrust concerns should not get in the way of sharing cybersecurity information, and signals our continued commitment to expanding the sharing of cybersecurity information.”

The importance of sharing cyber threat information, in the interest of protecting and improving the safety of American networks cannot be overstated. This system of sharing as indicated by Cole has three parts:

  1. Companies sharing with government
  2. Government sharing with companies
  3. Companies sharing with each other

Assistant Attorney General Bill Baer reiterated,

“As we are well aware, cyber threats are increasing in number and sophistication, and sharing information about threats, such as incident reports, indicators and threat signatures, is something companies can do to protect their information systems and help secure our nation’s infrastructure. This kind of information sharing is good public policy. And the antitrust agencies support it.”

To read the Department of Justice/Federal Trade Commission “Antitrust Policy Statement on Sharing of Cybersecurity Information” please click here.


Sabrina Eyob is the Communications and Public Policy Intern at SIIA. She is a recent graduate of Michigan State University, where she studied Comparative Cultures and Politics, and International Relations.

SIIA Responds to RFI on Acquisition Provisions in Cybersecurity Executive Order

Earlier this week SIIA submitted comments in response to the proposed implementation of Section 8(e) of Executive Order 13636 – Improving Critical Infrastructure Protection, issued on February 12, 2013.  We greatly appreciate the opportunity to provide formal comments to GSA and DOD on this critical section of the Executive Order.

SIIA shares the overall goals of the Administration in developing a cybersecurity framework that improves our ability to protect government information and critical infrastructure from cyber-attacks.  In fact, many SIIA members provide products and services that protect businesses, consumers and public sector entities from cyber-attacks, viruses and a wide-range of online security threats.  As a result of this experience, these members have a critical voice in the debate on the implementation of Section 8(e) of the Executive Order.  While we recognize the importance of the overall goals of the Executive Order we have some significant concerns regarding the potential effects of its implementation as proposed in the RFI.

Most notably, we have an overarching concern that the RFI itself does not accurately reflect the carefully crafted definition of “critical infrastructure” reflected in the Executive Order.  Instead the RFI appears to sweep all IT companies or their customers into the same regulatory basket as the most critical systems.  This distinction is crucial as not all systems and assets should be required to comply with this level of regulation.

In addition, SIIA expressed concerns in our comments about how the development of a broad cybersecurity framework, an ongoing process at NIST, may impact sector-specific guidance such as what is proposed here for government contractor / acquisition sector.  As a result, we have requested that the implementation of Section 8(e) be delayed until NIST cybersecurity framework has been fully developed.

Furthermore, we support the “common criteria” as a globally recognized, effective solution to a rapidly changing IT marketplace, we caution the Administration to avoid  establishing any new, overly prescriptive supply chain or software assurance scheme that would establish the Government as a leader in the process of developing technology or the would create a US centric standard, as this would conflict with the proven security regime that has long been the foundation of our national security strategy.

We also point out concerns about how that which is proposed in this Executive Order may impact the consistent, accepted, risk-based government cybersecurity requirements contained in FISMA.  Beyond its impact on FISMA, the Executive Order may also overlap with and be redundant to the FedRAMP program, potentially subjecting any Internet-enabled computing services utilized by the government to new baseline security assessments, on top of the existing FISMA and FedRAMP requirements. Not only would this practice be costly, slow, and inefficient, but it could lead to new technology-specific overlays for services that are already being utilized and assessed by the federal government in a technologically-neutral way.

Lastly, we highlight our concerns regarding the potential effect of the rules proposed as a result of the Executive Order on the other major cyber-related requirements, both current and proposed, including those found in the FAR, the DFARS, FISMA and the last two National Defense Authorization Acts.


Michael Hettinger is VP for the Public Sector Innovation Group (PSIG) at SIIA. Follow his PSIG tweets at @SIIAPSIG. Sign up for the Public Sector Innovation Roundup email newsletter for weekly updates.

SIIA Hails House Passage of Cybersecurity Legislation, Urges Senate to Act

SIIA commends today’s House passage of the Cybersecurity Intelligence Sharing and Protection Act (CISPA, H.R. 624) and three other critical cybersecurity bills passed earlier in the week. Following the House passage of this legislation, I issued the following statement:

Early detection and notification of cybersecurity threats is the most critical component of preventing and mitigating attacks as well as increasing security across the board. SIIA supports CISPA because it would provide the critical necessary framework for early detection and notification of cybersecurity threats.  Today, the House clearly recognized this vital need, and as cybersecurity threats and damage continue to grow, it is essential that the Senate move quickly to approve these bills.

CISPA creates the necessary flexibility for businesses to share security information without fear of legal or regulatory liability. Specifically, CISPA would protect companies and organizations that share threat and vulnerability information with the government from legal liability and the risk of lawsuits, while also providing a critical exemption from antitrust laws that currently discourage information exchanges between private companies.

Additionally, SIIA applauds House passage of three other key cybersecurity measures to reform federal information security management and enhance cybersecurity R&D. These measures include:

  • Federal Information Security Amendments Act (H.R. 1163)
  • Cybersecurity Enhancement Act (H.R. 756)
  • Advancing America’s Networking and Information Technology Research and Development Act (H.R. 967)

With cyber threats more sophisticated and targeted than ever, now is the time to act on critical cybersecurity legislative priorities. We urge the Senate to move with all deliberate speed to consider these key measures and advance the Nation’s cybersecurity readiness.


Ken WaschKen Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

SIIA Calls for Support for Cybersecurity Legislation

SIIA called on congressional leaders today to enact legislation that would help the government detect cybersecurity threats.  In a letter sent today, SIIA thanked Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) for their bipartisan leadership with regard to the Cyber Intelligence Sharing and Protection Act (CISPA), and urged members of the House Select Intelligence Committee to support this legislation.  In the letter, I commented:

Early detection and notification of cybersecurity threats is the most critical component of preventing and mitigating attacks – increasing security across the board. SIIA supports CISPA because it would provide the critical necessary framework for early detection and notification of cybersecurity threats.  Specifically, CISPA would provide needed legal certainty that threat and vulnerability information voluntarily shared with the government would be provided safe harbor against the risk of lawsuits, and it would also provide a critical exemption from antitrust laws that currently discourage information exchanges between private companies.

 


Ken WaschKen Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

SIIA Joins other Trade Groups in Supporting Cyber Legislation Introduced Today

Today, SIIA joined with other leading trade associations in support of the Cyber Intelligence Sharing and Protection Act (CISPA), bipartisan cybersecurity legislation introduced today by Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) to enhance sharing of cyber threat information between the public and private sectors.  Early detection and notification of cybersecurity threats is the most critical component of preventing and mitigating cyber-attacks. CISPA would establish a framework that enables the public and private sectors to work together in sharing information on known threats and vulnerabilities, and enactment of this legislation would increase security across the board.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Curated By Logo