Legislated Cybersecurity

6 07 2012

At various stages of Congressional debate are no less than four bills aimed at securing our nation’s cyber systems and networks. While these bills all differ in length and content, they share many legitimate motives to formulate such legislation. In their successful bid to pass the Cyber Intelligence Sharing and Protection Act (CISPA) in the House of Representatives on April 26, 2012, House Representative Mike Rogers and C.A. “Dutch” Ruppersberger decried the theft of U.S. intellectual property by nation-states through the breach of cyber systems, which cost American jobs and over $300 billion each year for businesses. [1] Representative Rogers goes on to warn of the catastrophic disruptions to the “financial sector or the energy sector or our command and control elements for all of our national security apparatus” as the result of a foreseeable foreign breach of cybersecurity. Senator Joe Lieberman, in pursuit of the passage of the Cybersecurity Act of 2012, relates a Wall Street Journal article of a 22 year-old man an ocean away, cracking into the control system of a water utility in the United States, [2] thus making it imperative that legislative action be taken, lest the U.S. suffer an attack in the energy, water, waste-water, or other utility segments- a cyber-9/11 as he put it. Senator John McCain and the co-sponsors of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act (SECURE IT), equally echo these concerns. [3]

What’s Yours is Mine?
Arbitrating the case for cybersecurity legislation is in fact a moot point; most, if not all, in Congress, and in the business sectors, believe it is necessary. For all of the bipartisan vamping that has taken place, where demonstration of combined effort between two grossly divided political parties may help to pass legislation, these bills impart at least one common factor: Information sharing of cyber threat data among public and private entities. The necessity of such a section in legislation is due to the ambiguity that exists in current laws, such as anti-trust and the Freedom of Information Act, which would bring litigation to public and private entities alike should information be disseminated. These bills make the sharing of information legal but voluntary, as long as the information is shared per the conditions set forth in the bills. [4] CISPA, in its admittedly narrow approach, deals almost exclusively with the sharing of cyber threat intelligence.[1] What raises the ire of any red-blooded American, civil liberties and government watch-dog groups alike is that often these conditions for sharing cyber threat information are vague at best,using phrases such as “in good faith” or “in the interest of national security.” As in the text of The Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (PRECISE Act), Section 248 allows cybersecurity providers to share cyber threat information, while defining cyber threat information as “necessary to describe a method of defeating technical controls on a system or network that corresponds to a cyber- threat.”[5] Legitimate use of port scanning or an anonymization service or other like methods, could be understood as cyber threat information under this rule. [6] Still yet, information that is obtained in the name of cyber security, these bills provide little meaningful requirement that private information, unrelated to a cyber-threat, be ‘scrubbed’ from the data. The closest language to attempt the anonymization of non-cyber threat data is in the Cybersecurity Act, where “reasonable efforts” should be made to this end. [7] Perhaps the most damning shortcoming of these bills that have been mentioned is the circumvention of Fourth Amendment Rights of illegal search and seizure. Under these bills, with the loose terminology aforementioned, governmental bodies may use legitimately, volunteered cyber threat data in the pursuit and prosecution of a non-cyber threat crime, should the data include such information. [8]

What’s Next?
CISPA, as mentioned, has passed the House and may be seen in the Senate in the coming weeks. But in its current form it is not expected to pass the Senate, given the Democratic majority, all the while, the White House is expected to veto the bill and has announced its support for the Cybersecurity Act. Unfortunately, other measures in the Cybersecurity Act which establish regulatory measures on cyber systems deemed critical, does not garner favor with Republicans, who would then back the SECURE IT bill. Despite this, each of these bills contains constitutionally fundamental flaws that would be challenged should they garner legislative passage in their current forms.


  1. 112 Congressional Record H2157 – H2158 (2012).
  2. 112 Congressional Record S4135 – S4137 (2012).
  3. 112 Congressional Record S1201 – S1205 (2012).
  4. Paul Rosenzweig. “Congressional Cyber Initiative Shows Promise.” The Heritage
  5. Foundation. Ed. Paul Gallagher. January 31, 2012 <http://www.heritage.org/research/reports/2012/01/rogers-ruppersberger-bill-a-solid- cybersecurity-approach>.
  6. H.R. 3674 112th Congress (2011).
  7. Dan Auerbach, Lee Tien. “Dangerously Vague Cybersecurity Legislation Threatens Civil
  8. Liberties.” Electronic Frontier Foundation. March 20, 2012
  9. < https://www.eff.org/deeplinks/2012/03/dangerously-vague-cybersecurity-legislation >.
  10. S. 2105 112th Congress (2012).
  11. Ryan Radia. “Free Market Letter on CISPA.” Competitive Enterprise Institute. April 21,
  12. 2012 < http://cei.org/coalition-letters/free-market-coalition-letter-cispa.&gt;



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: