The U.S. Government learned some cybersecurity lessons the hard way this past year. And while many watched with frustration, it is important to remember that despite Six Sigma’s best efforts, some solutions can only be mastered through the ancient tradition of try, fail, tweak, repeat.
However, before launching legislative solutions for peace of mind, there must be a basic understanding of how the legal and cybersecurity puzzle pieces fit together. Absent such comprehension, a greater mess is created. Unfortunately, early movement in the United States Congress shows indications of piecemeal, albeit well-intentioned, thought processes:
Expanded Domestic Authority for NSA/USCYBERCOM: On March 25, 2021, DefenseOne.com reported that “Several members of the Senate Armed Services Committee on Thursday voiced their support for expanded authorities for the NSA and U.S. Cyber Command to conduct more intelligence gathering domestically,” which would conceivably permit the NSA and USCYBERCOM to hunt for threat actors inside the US. Many may not realize that both the NSA and USCYBERCOM are under the command of Gen. Paul Nakasone, a 4-star general serving in the United States Army. Many are likely less familiar that according to the Posse Comitatus Act of 1878 and 18 U.S.C. §1385, it is a criminal offense to use the Army or Air Force (really the active military) to execute the laws of United States against its own citizens domestically. In short, the U.S. Military (pending certain exceptions), cannot transform into a law enforcement entity. This is also a 10th Amendment, Constitutional law issue.
Fortunately, Gen. Nakasone politely referenced that there would be certain legal challenges to such expanded authorities – likely not wanting to expressly refute any congressional allies. However, if the United States Senate wants to expand surveillance against domestic cyber terrorists, it needs to use Department of Justice assets and/or the United States Secret Service and confront all the FISMA, 4th Amendment, Due Process, and Patriot Act issues therewith.
H.R. 1251 - Cyber Diplomacy Act of 2021: This is a bi-partisan bill currently before the House of Representatives that seeks to create a multi-national alliance for the safe promotion of trade, free expression, security, and stability within cyberspace. The Bill further seeks to enforce responsible “norms of behavior,” end intellectual property theft, promote human rights, apply international law to cyberspace, and create a Bureau of International Cyberspace Policy within the U.S. State Department. The concept of creating “Cyber Diplomacy” for the betterment of international welfare is certainly amiable. However, a major concern with this proposal is that the United States has yet to create any type of comprehensive cyber policy within its own borders on data privacy, consumer safety, or the other suggestions within the Cyber Diplomacy Act. Indeed, the debate on whether to tighten language of 47 U.S.C. §230 (social media platform protection from offensive/false user content) remains alive and controversial. Thus, this critique of H.R. 1251 is not a suggestion for or against a comprehensive federal law in any area – more of a suggestion that efforts might be better spent focusing elsewhere in the field of cybersecurity.
Fortunately, there are a few bills that may prove extremely useful, although “unsexy” from a public relations perspective:
S. 70 – National Guard Cybersecurity Support Act: Short, simple, and to the point, this Act would expand each state’s ability to use federal training funds to pay its National Guard Soldiers and Airmen to respond to state cyber emergencies that involve critical infrastructure. This is extremely important for 3 reasons: 1) the Guard is one of the few public resources with the qualified personnel to handle such events; 2) Guard personnel greatly prefer federal pay and benefits than state pay and benefits (such as healthcare and retirement points). And if the Guard personnel are not treated fairly, they will elect to leave Guard service, and poof, that public resource that everyone (governors, other federal agencies, citizens) relies upon will be gone; and 3) there is already a cybersecurity workforce crisis in the USA, so losing qualified personnel from the Guard will only exacerbate an existing problem within the public sector.
H.R. 2236 A Voluntary Program to Promote Better IOTs: Introduced on March 26, 2021 and entitled “To establish a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes, and for other purposes[,]” the text of this bill is not yet available. However, programs that begin as permissive (as opposed to compulsory) to encourage better standards in otherwise incorrigible areas show signs of thoughtfulness by the authors.