There’s likely to be a “pause” in Congress with respect to any statutory change around cybersecurity regulations, according to Rep. Jim Himes, D-Conn.
Himes, the ranking member of the NSA and Cybersecurity Subcommittee of the House Permanent Select Committee on Intelligence, gave the keynote speech during a recent cybersecurity summit hosted by NCS Regulatory Compliance in New York.
“It’s not that there isn’t a high level sense of urgency around evolving our overall cybersecurity defenses — including law, including our own federal government protections,” he explained. “Almost a day doesn’t go by that we don’t see an Equifax, a Sony, a Target or an SEC [hack].”
Equifax recently announced a cybersecurity breach may have affected 143 million U.S. consumers’ personal information, sparking outrage in the financial services community.
Then, last week, Securities and Exchange Commission Chairman Jay Clayton announced in a sweeping cybersecurity statement that the agency learned in August that a 2016 cyber breach incident involving its Electronic Data Gathering, Analysis and Retrieval corporate filing system “resulted in access to nonpublic information.”
“Despite that sense of urgency, despite the acknowledgement that we have a real problem here, there’s a bunch of things that are causing friction in terms of statutory change,” Himes told the small crowd.
One reason is that the Cybersecurity Information Sharing Act (CISA), which passed in December 2015, never received full support from big tech and media companies and civil liberties groups.
CISA was supported by financial services groups and banks, but companies like Google, Microsoft, Apple, Twitter, Yahoo, Yelp, Netflix, Amazon, eBay and Wikipedia saw the bill as a threat to Americans’ privacy.
CISA encourages the sharing of critical cyber threat information between financial institutions, among and between sectors, and with the federal government in order to protect consumers and the nation’s financial infrastructure.
A second reason there’s likely to be stasis in terms of legislative action is that no one is hearing much feedback on the information sharing mechanisms that were established byCISA, Himes said.
Another reason is that the focus tends to be on sovereign attacks, which “takes a little bit of the eye off the ball with respect to domestic cybersecurity legislation,” he said.
“There is a robust dialogue as you know publicly with respect to the Russian hack of our election. But we have as you probably know a fairly aggressive multilateral discussion that includes the Chinese and others who have made a business for a very long period of time of violating our networks,” Himes said.
Himes does think it’s possible that there will be “smaller, more incremental, more marginal bills passed.”
Outside of this legislative stasis, Himes think that Congress could play a role in working toward an international cybersecurity framework.
“We have to accelerate the pace of the work that we do internationally for the establishment of norms in the cybersecurity realm,” Himes said.
He said that there have been some “halting efforts” and meetings internationally to try to establish what would be an analog to the Geneva Conventions, which govern armed conflict.
There have been formal efforts over the years to try to establish what Himes like to call an “E-Neva” Convention — a convention that would create an international system of rules for cyberwarfare and cybercrime analogous to the Geneva Accords.
“We’re not going to attack each other’s hospitals. That’s a perfect analog to one of the elements of the Geneva Conventions,” Himes explained.
Himes said this would also include “making efforts to join with even our most ardent adversaries — by which I mean Russia, China, Iran, North Korea — to work together to identify non-state rogue actors.”
“There’s an asymmetric quality to the cyber warfare that means that we have a profound interest with our adversaries who are subject to rogue activity as we are, in working together to identify non-state actors and stop what they’re doing,” he explained.
When Mike Dvilyanski, supervisory special agent at the FBI, gave a presentation later at the summit, he agreed with Himes on the need for an “international cyber norms agreement, treaty, framework, whatever you want to call it.”
“As we try to address the threat actors we face, many of them don’t reside in our country or countries with whom we have great diplomatic partnerships or relationships,” he explained. “There are no norms that are uniform in the cyber space, so our job is that much more difficult when the investigation takes us to a certain border.”
—Related on ThinkAdvisor: