Digital Discourse / Policy / Policy - Cybersecurity

SIIA Supports the Cybersecurity Act of 2013 (S. 1353)

July 30, 2013 By

Today I wrote on behalf of SIIA to express support for the Cybersecurity Act of 2013 (S. 1353). SIIA is dedicated to maintaining and expanding the partnership between the private sector and the government to address our collective cyber security challenges, and we believe S. 1353 will help accomplish this objective.

Today’s cyber threats are more sophisticated and targeted than ever and are growing at an unprecedented rate. Cybercrime perpetrators have evolved from simple, low-budget hackers into cutting-edge state-sponsored threats, or well-financed criminal operations that contribute to a multi-million dollar cybercrime industry.

A critical cybersecurity priority for SIIA is to preserve IT innovation and technology neutrality. Additionally, SIIA has worked closely with the National Institute of Standards and Technology’s (NIST) across a wide range of initiatives to facilitate and support the development of voluntary, industry-led standards, and we believe NIST has a critical function to play in leading this effort in the development of cybersecurity standards and best practices for critical infrastructure. And SIIA is strongly supportive of efforts to enhance cybersecurity research and development, and to improve the cyber workforce and enhance education and public awareness of cybersecurity.

SIIA supports S. 1353 because it would accomplish these critical objectives for protecting the Nation from cyber threats.

Ken WaschKen Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

Share|
Filed Under: Policy, Policy - Cybersecurity

Now is Not the Time to Weaken the Nation’s Cybercrime Laws

June 20, 2013 By

Today, legislation is being introduced in the House and Senate that would weaken the Computer Fraud and Abuse Act (CFAA), a long standing law that is critical to software and digital content companies to protect their networks and the intellectual property in their products and services.  The intent of the proposal is to reign in the possibly overzealous use of this statute by U.S. prosecutors in some recent cases, including the case that led to the tragic suicide of Aaron Swartz.  While the bill is well intended and seeks to address real concerns, the proper fix is to clarify the prosecutorial guidelines, not a wholesale rewriting and weakening of the underlying statute.

U.S. companies and law enforcement agencies use the CFAA as the primary Federal anti-hacking law to protect billions of dollars of research and development that is under constant threat from hackers, organized criminal syndicates, and theft from competitors and foreign governments.  Other statutes are difficult to enforce and simply do not provide the same level of legal protection.

The weakening of the statute is especially problematic at this point because of the uptick in attacks on computer systems of U.S. corporations with the aim of stealing valuable intellectual property.  In fact, Booz Allen Hamilton recently provided a report revealing that “corporate IP is under constant assault.” Achieving substantial international consensus and coordination to fight this has become a matter of significant U.S. diplomacy.  Why at this crucial point would Congress want to cut back on the legal weapons we use to combat this plague?

Of course, there are different court interpretations of the statute. The ninth district reads it one way; the fourth district reads it another way.  Sooner or later, the different judicial outcomes will have to be sorted out by the Supreme Court, but none of the court decisions gut the statute in the way that the bill introduced today would.

The better way forward for Congress is to wait for this Supreme Court clarification and then see if further legislative revisions are necessary.  In the meantime, the Justice Department can address any concerns about prosecutorial overreach through improved guidelines.  But wholesale weakening of the Act takes U.S. cybercrime policy in the opposite direction, as it gives the green light to criminal at a time when we should be united in the stand against international computer crimes.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Share|
Filed Under: Policy, Policy - Cybersecurity, Policy - Intellectual Property Tagged With: , ,

SIIA Responds to RFI on Acquisition Provisions in Cybersecurity Executive Order

May 21, 2013 By

Earlier this week SIIA submitted comments in response to the proposed implementation of Section 8(e) of Executive Order 13636 – Improving Critical Infrastructure Protection, issued on February 12, 2013.  We greatly appreciate the opportunity to provide formal comments to GSA and DOD on this critical section of the Executive Order.

SIIA shares the overall goals of the Administration in developing a cybersecurity framework that improves our ability to protect government information and critical infrastructure from cyber-attacks.  In fact, many SIIA members provide products and services that protect businesses, consumers and public sector entities from cyber-attacks, viruses and a wide-range of online security threats.  As a result of this experience, these members have a critical voice in the debate on the implementation of Section 8(e) of the Executive Order.  While we recognize the importance of the overall goals of the Executive Order we have some significant concerns regarding the potential effects of its implementation as proposed in the RFI.

Most notably, we have an overarching concern that the RFI itself does not accurately reflect the carefully crafted definition of “critical infrastructure” reflected in the Executive Order.  Instead the RFI appears to sweep all IT companies or their customers into the same regulatory basket as the most critical systems.  This distinction is crucial as not all systems and assets should be required to comply with this level of regulation.

In addition, SIIA expressed concerns in our comments about how the development of a broad cybersecurity framework, an ongoing process at NIST, may impact sector-specific guidance such as what is proposed here for government contractor / acquisition sector.  As a result, we have requested that the implementation of Section 8(e) be delayed until NIST cybersecurity framework has been fully developed.

Furthermore, we support the “common criteria” as a globally recognized, effective solution to a rapidly changing IT marketplace, we caution the Administration to avoid  establishing any new, overly prescriptive supply chain or software assurance scheme that would establish the Government as a leader in the process of developing technology or the would create a US centric standard, as this would conflict with the proven security regime that has long been the foundation of our national security strategy.

We also point out concerns about how that which is proposed in this Executive Order may impact the consistent, accepted, risk-based government cybersecurity requirements contained in FISMA.  Beyond its impact on FISMA, the Executive Order may also overlap with and be redundant to the FedRAMP program, potentially subjecting any Internet-enabled computing services utilized by the government to new baseline security assessments, on top of the existing FISMA and FedRAMP requirements. Not only would this practice be costly, slow, and inefficient, but it could lead to new technology-specific overlays for services that are already being utilized and assessed by the federal government in a technologically-neutral way.

Lastly, we highlight our concerns regarding the potential effect of the rules proposed as a result of the Executive Order on the other major cyber-related requirements, both current and proposed, including those found in the FAR, the DFARS, FISMA and the last two National Defense Authorization Acts.

Michael Hettinger is VP for the Public Sector Innovation Group (PSIG) at SIIA. Follow his PSIG tweets at @SIIAPSIG. Sign up for the Public Sector Innovation Roundup email newsletter for weekly updates.

Share|
Filed Under: Policy, Policy - Cybersecurity, PSIG Tagged With: , ,

SIIA Hails House Passage of Cybersecurity Legislation, Urges Senate to Act

April 18, 2013 By

SIIA commends today’s House passage of the Cybersecurity Intelligence Sharing and Protection Act (CISPA, H.R. 624) and three other critical cybersecurity bills passed earlier in the week. Following the House passage of this legislation, I issued the following statement:

Early detection and notification of cybersecurity threats is the most critical component of preventing and mitigating attacks as well as increasing security across the board. SIIA supports CISPA because it would provide the critical necessary framework for early detection and notification of cybersecurity threats.  Today, the House clearly recognized this vital need, and as cybersecurity threats and damage continue to grow, it is essential that the Senate move quickly to approve these bills.

CISPA creates the necessary flexibility for businesses to share security information without fear of legal or regulatory liability. Specifically, CISPA would protect companies and organizations that share threat and vulnerability information with the government from legal liability and the risk of lawsuits, while also providing a critical exemption from antitrust laws that currently discourage information exchanges between private companies.

Additionally, SIIA applauds House passage of three other key cybersecurity measures to reform federal information security management and enhance cybersecurity R&D. These measures include:

  • Federal Information Security Amendments Act (H.R. 1163)
  • Cybersecurity Enhancement Act (H.R. 756)
  • Advancing America’s Networking and Information Technology Research and Development Act (H.R. 967)

With cyber threats more sophisticated and targeted than ever, now is the time to act on critical cybersecurity legislative priorities. We urge the Senate to move with all deliberate speed to consider these key measures and advance the Nation’s cybersecurity readiness.

Ken WaschKen Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

Share|
Filed Under: Anti-Piracy, Policy, Policy - Cybersecurity

SIIA Calls for Support for Cybersecurity Legislation

April 8, 2013 By

SIIA called on congressional leaders today to enact legislation that would help the government detect cybersecurity threats.  In a letter sent today, SIIA thanked Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) for their bipartisan leadership with regard to the Cyber Intelligence Sharing and Protection Act (CISPA), and urged members of the House Select Intelligence Committee to support this legislation.  In the letter, I commented:

Early detection and notification of cybersecurity threats is the most critical component of preventing and mitigating attacks – increasing security across the board. SIIA supports CISPA because it would provide the critical necessary framework for early detection and notification of cybersecurity threats.  Specifically, CISPA would provide needed legal certainty that threat and vulnerability information voluntarily shared with the government would be provided safe harbor against the risk of lawsuits, and it would also provide a critical exemption from antitrust laws that currently discourage information exchanges between private companies.

 

Ken WaschKen Wasch is President of SIIA. Follow the SIIA Software team on twitter at @SIIASoftware.

Share|
Filed Under: Anti-Piracy, Policy, Policy - Cybersecurity, Policy - Intellectual Property

SIIA Joins other Trade Groups in Supporting Cyber Legislation Introduced Today

February 13, 2013 By

Today, SIIA joined with other leading trade associations in support of the Cyber Intelligence Sharing and Protection Act (CISPA), bipartisan cybersecurity legislation introduced today by Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) to enhance sharing of cyber threat information between the public and private sectors.  Early detection and notification of cybersecurity threats is the most critical component of preventing and mitigating cyber-attacks. CISPA would establish a framework that enables the public and private sectors to work together in sharing information on known threats and vulnerabilities, and enactment of this legislation would increase security across the board.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Share|
Filed Under: Policy, Policy - Cybersecurity, Security, Software Tagged With: ,

SIIA Applauds Cybersecurity Commitment Announced in Tonight’s State of the Union Address

February 12, 2013 By

SIIA congratulates President Obama and his Administration for making cybersecurity a priority. We appreciate the President’s efforts to seek broad input in crafting the Executive Order signed today. We are particularly pleased that the Executive Order excludes commercial information technology products and consumer information technology services from the definition of ‘critical infrastructure at greatest risk.’ The Administration is clearly seeking to advance American innovation with this effort, however, the way in which the Order is implemented will be critical in determining its success or failure.

As we work with the Administration on implementation, a priority for our industry will be to avoid rigid regulations that impede the innovation that is essential for effective cybersecurity.

A regulatory approach seeking to cover a broad, rapidly-evolving cross-section of industry would have the unintended consequence of slowing technological innovation and limiting our collective cybersecurity preparedness. Therefore, it is essential that the Administration work with industry to implement the Executive Order in a way that retains necessary flexibility. Technological innovation must be allowed keep up with rapid developments pertaining to both cybersecurity threats and protections.

To that end, we look forward to continuing to work closely with the Administration and congressional leaders to implement this policy.

Ken WaschKen Wasch is President of SIIA. Follow the SIIA Policy team on Twitter at @SIIAPolicy.

Share|
Filed Under: Government, Policy, Policy - Cybersecurity, Security, Software Tagged With: , ,
« Older Posts