By SEN. KAY BAILEY HUTCHISON, SEN. CHUCK GRASSLEY, SEN. SAXBY CHAMBLISS and SEN. LISA MURKOWSKI @ POLITICO
The Senate is about to consider cybersecurity legislation. Ensuring the integrity and safety of our nation’s critical infrastructure is a bipartisan issue that Congress and President Barack Obama must work together to tackle.
There is a right way and a wrong way to address cybersecurity. The right way is for the government and private sector to work together to solve problems, help the free flow of information between network managers and encourage investment and innovation in cybersecurity. The wrong way is new, heavy-handed, costly regulation and further expansion of government bureaucracy that will slow our nation’s response to cyberthreats and increase vulnerabilities.
First, the government must do a better job of protecting its own systems. These networks contain some of our most sensitive data and control some of our most important facilities. To improve network security, there are two areas in which Congress could legislate immediately.
The first is reforming the Federal Information Security Management Act. This law, crafted to improve the security of government information systems, is a decade old and should be updated with a real-time monitoring system.
The second critical component is leveraging our key federal research institutions — including national laboratories, the National Science Foundation and the Defense Advanced Research Projects Agency — to maintain U.S. global leadership in cybersecurity innovation. By developing leading-edge cybersecurity technologies, the United States can stay one step ahead of cyberthreats, whether from hackers, terrorists or nation-states.
Though improving the security of government systems is a crucial first step, it is not enough. The federal government does not own the overwhelming majority of the infrastructure that could be the target of cyberthreats.
For example, more than 1,800 entities own or operate components of our nation’s electrical grid. To secure critical infrastructure, we should focus on strengthening our existing oversight frameworks instead of creating duplicative regulatory regimes that give additional agencies, such as the Department of Homeland Security, broad new authorities to regulate.
In fighting cyberthreats, forewarned is forearmed. The single most effective way of advancing cybersecurity is sharing cyberthreat information between the government and industry, as well as within the private sector. Yet this collaborative relationship is undermined by our laws and policies — which put the government and private entities at a severe disadvantage in proactively identifying and countering cyberthreats.
The government often collects valuable information about potential threats that can and should be shared with private entities — without compromising national security. Companies should be free from legal barriers and constraints that prevent or deter them from voluntarily sharing cyberthreat information with their peers or with the government.
As a government, we should work with the private sector to help them respond to cyberthreats. Not punish them for being victims of cyberattacks or for working with others to prevent future attacks.
In addition, our nation’s criminal laws must be updated to account for the growing number of cybercrimes. We support legislation to clarify and expand the Computer Fraud and Abuse Act — including increasing existing penalties, defining new offenses and clarifying the scope of current criminal conduct.
These changes will ensure that our criminal laws keep pace with the ever-evolving threats posed by cybercriminals.
This approach should lead to significant strengthening of our nation’s cybersecurity and quickly gain bipartisan support in Congress. Unfortunately, the administration’s proposal would create new, massive and ill-defined regulatory burdens — forcing many private companies that work with digital networks to be regulated by DHS.
Such broad new regulatory powers will, in turn, require a dramatic and costly expansion of the federal bureaucracy and its regulatory reach. This expansion will not help secure America’s networks and will harm both innovation in cybersecurity and our nation’s already suffering economy.
Now is not the time to increase the size and cost of the federal bureaucracy. We need to focus instead on reforming existing federal government entities, streamlining and targeting regulatory efforts, looking for efficiencies and strengthening our nation’s capacity to deal with cyberattacks.
The administration’s proposal is ultimately a costly and heavy-handed regulatory approach. It will not work and it won’t pass Congress. We hope the president will work with us on a more collaborative approach between government and business to effectively address the critical issue of cybersecurity.
