A recent exchange of letters between Sen. John McCain and General Keith Alexander (Director of NSA and the Commander of USCYBERCOM) highlights the continuing tension between supporters of McCain’s SECURE IT Act of 2012 (S.2151) (“SECURE IT”) and those who, like the Obama Administration, support Sen. Joe Lieberman’s Cybersecurity Act of 2012 (S.2105) (“CSA”). As has been widely reported, the two bills take very different approaches to cybersecurity. SECURE IT calls for a voluntary information sharing regime that would apply to all entities and is focused on sharing of cyber threat information, with liability protection for those who participate. It also contains provisions that modify criminal penalties for certain cyber activities and implement certain R&D efforts. It is similar, in some respects, to the Cyber Intelligence Sharing and Protection Act (“CISPA”) (H.R. 3523), which passed the House at the end of April. In contrast, the CSA focuses on “Covered Critical Infrastructure” (“CCI”) and mandates compliance with a minimum set of cybersecurity requirements by any owner or operator such CCI. It also contains provisions addressing DHS authorities, education and workforce development, R&D, and other related topics.
The sparring began on March 29, 2012, when McCain sent Alexander a letter with pointed questions about Alexander’s March 27 testimony before the Senate Armed Services Committee, during which Alexander stated “that the U.S. Government needs no additional authorities to defer and defend against cyber attacks on our nation,” and his earlier testimony, in which he stated additional authorities were needed. McCain then intimated that Alexander had bowed to political pressure, suggesting that his testimony “appears to have been more heavily influenced by White House policy, rather than your best military and technical advice and expertise.”
In his May 4 response, Alexander began by observing that the U.S. needs new cyber legislation that “removes existing barriers and disincentives that inhibit the owners of the critical infrastructure” from sharing information with the government. However, Alexander also recognized the need for balance, stating that “[a]t the same time, it is important that legislative requirements not be too burdensome.” Alexander also stated that the U.S. military needs to be ready to carry out “both offensive and defensive missions” (emphasis added). In response to McCain’s accusation of political pandering, Alexander closed by saying that he “remain[s] committed to providing you my best military and technical advice and expertise.”
McCain responded on May 9, first noting the disparity between Alexander’s position in his May 4 letter and the “legislative proposal being supported by the Administration in the United States Senate,” and then expressing his belief that the current U.S. cyber strategy is “insufficient and overly reliant on defense.” He also noted that a single policy tactic will not solve the cybersecurity debate. McCain advocated instead for an approach that fosters a “cooperative relationship between the government and the private sector” (such as in his SECURE IT bill) as opposed to other proposals that would “establish an adversarial one” (such as that in Lieberman’s CSA).
McCain then unleashed a scathing public criticism of DHS, the CSA, and the Administration’s support of both, stating that (a) he “do[es] not believe tying liability protection exclusively to sharing with the government should be characterized as voluntary, that it encourages better information sharing…or does enough to protect individual privacy” and (b) adding an additional layer of bureaucracy via the DHS is not in the best interest of either national security or private sector flexibility. He then went onto note that he was “unaware of the Congress ever creating a regulatory regime in which it does not say what entities will be regulated, and simultaneously authorizes a government agency, an agency with few if any regulatory successes, to determine what needs to be regulated and how to regulate it.”
It is difficult to argue with Sen. McCain’s criticisms here. The state of cybersecurity could actually get worse under a vaguely defined and adversarial regime. Instead, we need a balanced approach to cybersecurity legislation, as Gen. Alexander has stated. Taking a voluntary approach that is coupled with true incentives (and some appropriate disincentives) would seem to make the most sense. Sen. McCain points out that his SECURE IT bill avoids a burdensome regulatory approach, allows a cooperative relationship between the government and private sector on cybersecurity, and “allows those who have the greatest capabilities to protect us to have the best opportunity to do so.” Whether SECURE IT strikes the right balance, however, remains to be seen.