Will CRS Report Focus Government Action on Cybersecurity?
The Congressional Research Service (CRS) released a report consolidating many government initiatives related to cybersecurity. There has a been a significant uptick in cyber-related legislation, Executive Branch policy statements, and agency enforcement announcements. In this environment of near constant change, the report provides some helpful insight into where we are, how we got here, and possibly—where we are going.
Released in March, the report outlines select cybersecurity issues for Congress and is intended to “provide context and a framework for further discussion on selected policy areas [including] cybersecurity incidents, major federal roles and responsibilities, [and] recent policy actions by Congress and the White House[.]”
CRS is a legislative agency within the Library of Congress which “works exclusively for the United States Congress, providing policy and legal analysis to committees and Members of both the House and Senate, regardless of party affiliation.” While providing a high-level review of cybersecurity concepts and the role of select federal agencies in addressing cyber threats, the report concentrates on specific topics which “may be of interest to Congress,” including:
-
Protecting critical infrastructure;
-
Data breaches and data security;
-
Education and training;
-
Encryption;
-
Information sharing;
-
Insurance;
-
International issues;
-
The Internet of Things;
-
Oversight of federal agency information technology; and
-
Incident response.
Expect More Cyber Bills and Congressional Investigations
Citing global attacks on networks and our critical infrastructure, the report identifies that “Congress may be faced with the need to address such problems…made more urgent by the expected continued evolution of cyberspace and more difficult by the unpredictable nature of emerging threats.” The report notes that rapid changes in technology and greater reliance on connected devices and networks could lead to greater risk exposure. As higher-profile attacks pose the possibility of more significant impacts, Congress could respond to watershed moments with urgency. Identifying recent data breaches and subsequent congressional investigations, CRS notes that “reliance on IT and data also creates risk for corporate leadership to manage.”
Improving Information Sharing Initiatives
CRS recognizes that barriers to information sharing “have long been considered by many to be a significant hindrance, especially with respect to critical infrastructure (CI) sectors. Private-sector entities have often asserted a reluctance to share such information among themselves because of concerns about legal liability, antitrust violations, and potential misuse, especially of intellectual property, including trade secrets and other proprietary business information.” CRS cites the Cybersecurity Information Sharing Act (CISA) as taking steps to facilitate public- and private-sector sharing of information on cyber threats and defensive measures but also suggests that Congress could improve upon several factors, including: “the complexity of the current structure for information sharing,” the “sharing of information among private-sector entities,” and “changing the incentive structure for cybersecurity” among others.
Addressing the Internet of Things
CRS acknowledges the societal and economic benefits made possible through the Internet of Things (IoT), but notes that “as the number of connected objects in the IoT grows, so will the potential risk of successful intrusions into IoT devices and increases in costs from those incidents.” Currently there are multiple ongoing lines of effort related to IoT security. Among other activities, several bills propose standards or ways to improve security of IoT devices and the White House has directed the Departments of Homeland Security and Commerce to convene stakeholders and produce a report with recommendations to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats. This report is due to the White House in May.
Conclusion
Whether through legislation, regulatory action, enhanced enforcement actions, or policy proposals the U.S. government is taking a close look at each of the topics outlined in the CRS report. While the report is not predictive of future Congressional action, the list of priorities identified by CRS gives an indication of where Congress’s attention and energy may be in the near-term on cyber issues.