Cybersecurity is one of the major topics in the technology industry and has become a focus at the state, federal and international levels of government. As the debate continues, TechAmerica asserts that any cybersecurity legislation should preserve the vitality of innovation and promote the sector’s ability to respond to constantly evolving cyber threats. TechAmerica and its members are dedicated to maintaining and expanding the partnership between the private sector and the government to address our nation’s cybersecurity preparedness.
Over the last six years, TechAmerica has been focusing on these critical issues, working closely with Congress and the Administration to address the threats to our nation’s cybersecurity. Any cybersecurity measure must be firmly grounded in a strong public private partnership. We believe that legislation, if not done carefully, could do more harm than good. Specific mandates generally do not adapt as quickly as threat and technology landscapes change, so they can hinder industry’s ability to innovate and effectively mitigate threats. Mandates affect industry’s ability to design, develop and deploy technology.
Improved information sharing is one vital element of cybersecurity legislation that TechAmerica strongly supports in order to bolster national cybersecurity and critical infrastructure protection. We also support updating the Federal Information Security Management Act to reflect continuous monitoring capabilities and a risk-based approach, ensuring cybersecurity research and development; greater penalties for cybercriminals; and a national approach to data breach notification that creates a national standard and pre-empts the patchwork of state laws while providing for safe harbor for those entities that take steps to protect their systems from breaches and render data unreadable, undecipherable, and unusable in order to protect individuals from harm.
As threats from cyber attacks continue, state legislatures will feel compelled to pass legislation in the area of privacy, data breach and consumer notification. Also state Attorneys General are proposing remedies when data is breached. TechAmerica supports uniformity of laws, so that companies do not have to follow differing state laws & requirements. Cybersecurity continues to be a challenge and critical threat to state information technology systems.
Cybersecurity legislation has been a topic of interest on Capitol Hill for a number of years: former Senator Joseph Lieberman (I-CT) and Senator Susan Collins (R-ME) introduced bills in the previous two Congress’; the Obama Administration made its own proposal in May 2012; and the House Republicans, through a task force led by Representative Mac Thornberry (R-TX), have also made recommendations. The White House has also been concerned with cybersecurity and released its highly anticipated Cybersecurity Executive Order regarding critical infrastructure protection in February 2013.
The inability to share information is one of the greatest challenges to collective efforts toward improving our cybersecurity, and we support legislation such as the Cyber Intelligence Sharing and Protection Act, or CISPA to remove those barriers in order to foster better information sharing between the government and the private sector. We believe that information sharing is a fundamental component that will better enable collaboration in defense of cyber-attacks while ensuring strong privacy protections.
TechAmerica supports CISPA because it seeks to remove a significant barrier to information sharing to enable collaboration in defense against cyber attacks like the one we, and so many others, experienced. We are working toward improving the public discourse on this issue so that is informed and accurate and believe that the bill strikes the right balance by ensuring strong privacy protections while being completely voluntary, and strictly limits the government’s use of cyber threat data. CISPA will let the intelligence community and cybersecurity entities share certain cyber threat intelligence and cyber threat information. That sharing will be restricted to certified entities and people with appropriate security clearances. It must be consistent with national security needs, and the recipient of the intelligence must protect it against unauthorized disclosure.
In February 2013, the European Union announced a new cybersecurity strategy. As a long standing advocate, on both sides of the Atlantic, we appreciate the commitment to make cybersecurity a political priority within the European Union and their willingness to view it through a global lens. We are convinced that international, notably transatlantic cooperation, as well as comprehensive and effective partnership between public and private stakeholders will be key in advancing this policy agenda.
The European Cybersecurity Strategy rightly seeks to foster further cooperation among EU Member States and between the EU and third countries, focuses on resilience and capacity building and also covers some aspects of cybercrime.
While we applaud the Commission’s effort to seek to comprehensively address all three pillars of cybersecurity, i.e. people, process and technology, we are concerned about the overly broad scope of the draft network and information security (NIS) directive. The directive extends from developing competent authorities, cooperation networks and secure information exchanges to incident reporting obligations and audits for a broad set of market operators including an indefinite range of providers of Internet services, which is not only broad but is also unclear about the positive outcomes and benefits which it seeks to deliver to the EU and its member states. Only clearly identified outcomes and policy objectives, in an appropriately and accurately focused scope, can make it possible to assess whether the information sharing initiative is indeed contributing to cybersecurity, or simply adding new burdens on the sources and the recipients of the shared information.
We believe that to be manageable, useful and proportionate, the requirements should be narrowly targeted at sectors which operate truly critical infrastructures. We are concerned that the sweeping and indiscriminate inclusion of “enablers of Internet-services” in the scope of the directive would fail to strike the delicate, but indispensable, balance between the risk-based prioritization of assets and functions to be protected and the strong interdependencies in cyberspace across sectors and across borders.
Security ultimately cannot be achieved by measures which would hinder industries’ ability to innovate and respond by raising new market barriers at the borders or within the EU single market, or impose technology mandates or bureaucratic burdens. We continue to advocate for an approach that unifies our engagement with international partners on the full range of cyber issues.
(Chair: Thomas R. Sisti, Esq., SAP; Vice Chairs: Eric Wenger, Microsoft and Julie Taylor, SAIC)
The Cybersecurity Committee has played a leadership role in its commitment and efforts to improving the information security of the nation’s critical information infrastructure through cooperation and outreach among industry and government.
This committee meets monthly to discuss major issues, interact with government and commercial leaders, and facilitate introductions to prospective customers and partners in the public and private sectors, both domestic and international. Companies focused on information security are able to leverage their involvement in our program toward meeting their policy and business development objectives. Whether the challenge is mobilizing collaboration within the private sector toward practical information security solutions, engaging government leadership on critical information security concerns, influencing public policy, promoting cyber security R&D, or building the talent base globally, this committee is at the forefront of the information security issue.
The Committee advocates the development of a national cyber security strategy and focuses on a wide variety of policy issues including, but not limited to: Federal Information Security Management Act (FISMA), Data Breach, Counterfeit IT, Global Supply Chain, and privacy.
(Chair: Bob Dix, Juniper Networks; Vice Chair: Dena Graziano, Symantec; Vice Chair: Denise Zheng, CA Technologies)
The Subcommittee works closely with the Cybersecurity Committee. The Subcommittee analyzes legislative and regulatory proposal and assist in developing TechAmerica’s policy positions on cybersecurity.
Senior Vice President, Federal Government Affairs
Senior Director, Homeland Security, Public Sector