security related federal legislation

One of the most important security-related pieces of legislation recently passed in Congress is the H.R. 1731: the National Cybersecurity Protection Advancement Act of 2015, also known simply as the Cybersecurity Act of 2015. The Act has widely been considered a “landmark cybersecurity information sharing legislation,” (Abascal, Archie, Crawford, et al., 2016) and “the most significant piece of federal cyber-related legislation enacted to date,” (Sullivan & Cromwell LLP, 2015, p. 1) because it is one of the first and strongest attempts to federalize cybersecurity in the broader interests of counterterrorism and national security. In fact, the Act specifies the role the Department of Homeland Security plays in coordinating information sharing efforts.
Most significantly, the Act requires that the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) interact with non-federal and private sector organizations for comprehensive information sharing. What this generally means for individuals and businesses is that we are now better equipped to cooperate with the federal government in terms of information sharing, such as divulging any information requested by the NCCIC. The Act does not mandate that any organization share data with the government. However, the Act does make it so that individuals and companies are protected from liability when information is shared. The Act includes specific liability and information privacy protection provisions to facilitate information sharing from the private sector. Without these provisions, the private sector would fear any repercussions that came from information sharing. Therefore, the Cybersecurity Act of 2015 offers an ideal balance between privacy protections and national security needs.
Initially the Act had “raised concerns among privacy advocates,” (Zakrzwski, 2015, p. 1). The reason for these concerns is that when organizations in either the public or private sector share information with the Department of Homeland Security, there is some potential for that information to contain your personal data. By including provisions related to the role the Chief Privacy Officer and the Chief Civil Rights and Civil Liberties Officer play in reviewing and assessing how the act has been implemented and any privacy-related consequences or concerns it has raised, the Act does offer a reasonable compromise that should appeal to most Americans. Moreover, the Act protects organizations from liability with the only exception being in cases involving “willful misconduct,” (“H.R.1731 - National Cybersecurity Protection Advancement Act of 2015,” 2015). Another way the Act does protect Americans from infringements on privacy is that it holds the government liable “if an agency or department violates privacy and civil liberty guidelines and restrictions on the use of information required by the bill,” (Congressional Budget Office, 2015). For this reason, even the most sensitive of privacy watchdog groups have offered tacit, cautionary support for the Act (Zakrzewski, 2015). The American Civil Liberties Union (ACLU) even gave its “blessing” for the Act, “a rare occurrence for a cyber bill, (Bennett & Marcos, 2015, p. 1). Therefore, anyone concerned about how the Act impacts their own privacy should rest assured that their personal information is actually much better protected now than ever before.
Prior to this Act, government and private entities were vulnerable to cyberattacks, which could undermine counterterrorism efforts in general, and cause havoc to basic public infrastructure like transportation and communication networks and banking systems. Ancillary problems like identity theft can also occur when a private or government entity is under cyberattack. A series of serious attacks on Sony Entertainment, Anthem, Home Depot and JPMorgan Chase made it abundantly clear that greater coordination and information sharing was needed to protect Americans from cyberattacks (Bennett & Marcos, 2015). President Obama quickly responded with an executive order that led to preliminary drafts of the Cybersecurity Act, and Congress passed the Act practically unanimously with a 355-63 vote.
It may seem surprising to you that the ACLU and other civil liberties organizations would support an Act that “authorizes various entities, including outside the federal government, to monitor certain information systems and operate defensive measures for cybersecurity purposes,” (Sullivan & Cromwell LLP, 2015). After all, authorizing the government to “monitor certain information systems” sounds a lot like surveillance. The reason why the Act does not run roughshod over American civil liberties is that it builds in safeguards such as mandatory removal of personal information that is unrelated to the security threat. The Chief Privacy Officer continually monitors the collection, dissemination, and utilization of data and continually consults with civil liberties agencies (“H.R.1731 - National Cybersecurity Protection Advancement Act of 2015,” 2015). Furthermore, an amendment to the Act requires the “Government Accountability Office to report to Congress five years after the bill's enactment to review its impact on privacy and civil liberties,” (Bennett & Marcos, 2015).
In addition to addressing the primary concerns of liability and fears of privacy infringement, the 2015 Act also strengthens cybersecurity infrastructure within the federal government. Security hawks love this aspect of the Cybersecurity Act, because of the clear and present danger presented by cyberthreats. If you are not yet worried about cybersecurity, you should be. A cyberattack can be more disruptive to the nation than an isolated terrorist incident, and can lead to massive casualties: consider what would happen if there were a malicious attack that took down all air traffic control systems, for example. Cyberattacks are also relatively easy to plan, organize and execute by non-state or state actors. The threat of cyberattacks might not seem as immanent or frightening as traditional terrorist attacks because they seem more abstract and less visceral, but they need to be taken more seriously by the general public. Cybersecurity is part of a comprehensive homeland security strategy; no security strategy would be complete without something akin to the Cybersecurity Act of 2015.
Once it was decided that the main roadblocks to the Act were related to fears of liability and fears of privacy infringements, passing the Act was relatively straightforward. However, security managers frequently run up against individuals who remain concerned about the implications of the Act in terms of broadening the government’s ability to spy on its people. Security managers are just as concerned as you are about privacy. In fact, one of our chief jobs is to ensure that all information systems are secure to prevent data breaches. If the Cybersecurity Act of 2015 presented threats to your privacy, we security managers would not support it and would instead offer alternative solutions. The Cybersecurity Act is generous in that it does not force companies to provide information. It encourages information sharing in ways that genuinely promotes the best interests of all Americans.
If you are a business owner who is concerned about how the Act affects you and your employees, consider that the Act extends both civil and criminal liability protection. Even cybersecurity companies are protected. The Act also supersedes the cybersecurity legislation passed at the state or local level. What that means for you is that liability protection is practically guaranteed. Unless a person is unequivocally engaged in malicious activity, there will be no civil or criminal charges brought against your corporation. In fact, you are even empowered to share cyberthreat data with your suppliers, your business partners, or even your competitors in order to promote data and network security without violating antitrust laws (Abascal, Archie, Crawford, et al., 2016). If you were interested in performing your own network security operations, you could also gather data so long as you do not combine it with personal identifiers that might implicate employees or your clients. “All information shared must be stripped of non-cybersecurity related information, and may be used by the federal government to prevent serious threats,” (Abascal, Archie, Craford, et al., 2016, p. 1). However, it is important to point out that you are still not allowed to pursue your own offensive attacks that you believe might help the government catch would-be cyberterrorists (Abascal, Archie, Craford, et al., 2016). In other words, don’t even think about hacking the hackers.
The Cybersecurity Act improves coordination and communication between government agencies, within the federal government, and also between federal, state, local, and tribal governments. Whenever threats have been detected, the appropriate agency or entity is alerted and provided with the information and tolls they need to identify and mitigate the attack. The Act also prioritizes cybersecurity to a degree that liberates funding for research and development, which should help establish the United States as a leading counterterrorism agent that provides support and training for global allies. After all, cyberspace is global space: attacks that take place offshore are still attacks that affect every American. When you consider how many of our essential services and systems are housed abroad, it should be abundantly clear why we need the Cybersecurity Act to bolster efforts to share information about potential threats, risks, and responses.
Finally, the Cybersecurity Act requires the establishment of the much-needed National Cybersecurity Preparedness Consortium. The Consortium is designed to better educate and train first responders in the wake of a terrorist attack. With improved readiness, the nation builds resilience. Cyberattacks can happen at any time; being able to detect and prevent risks, and also respond to attacks immediately, is the cornerstone of effective homeland security.












References

Abascal, M.A., Archie, J.C., Crawford, G.E., et al. (2016). What You Need to Know About the Cybersecurity Act of 2015. Lexology. https://www.lexology.com/library/detail.aspx?g=71db9ab9-d14b-470c-8e9b-c94b29065a94
Bennett, C. & Marcos, C. (2015). Cyber threat-sharing bill heads to Senate. The Hill. http://thehill.com/blogs/floor-action/house/239856-house-sends-cybersecurity-bill-to-senate
Congressional Budget Office (2015). H.R. 1731, National Cybersecurity Protection Advancement Act of 2015. https://www.cbo.gov/publication/50116
“H.R.1731 - National Cybersecurity Protection Advancement Act of 2015.” Congress.gov. https://www.congress.gov/bill/114th-congress/house-bill/1731
Sullivan & Cromwell LLP (2015). The cybersecurity act of 2015. https://www.sullcrom.com/siteFiles/Publications/SC_Publication_The_Cybersecurity_Act_of_2015.pdf
Zakrzewski, C. (2015). House passes complementary cyber information-sharing bill. TechCrunch. https://techcrunch.com/2015/04/23/house-passes-complementary-cyber-information-sharing-bill/