A few weeks back, I recommended that the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies have a “do-over” of a hearing where the subject was private sector interaction with DHS S&T. The reason I recommended this was because the most successful private sector program at S&T – the SAFETY Act implementation – was never mentioned. On July 28, the same Subcommittee held a hearing on promoting and incentivizing cybersecurity best practices, and it was more than a “do-over” of the earlier hearing.
The title of the hearing was different from the first one, but the majority of the July 28 hearing was a discussion of how and whether the SAFETY Act is effective in promoting better cybersecurity practices. It was one of the most substantive hearings the committee has held this year.
Subcommittee Chair, John Ratcliff (R-TX) noted in his opening statement that the hearing was designed to explore ways to improve cyber protections – a particularly timely subject in light of the ongoing news coverage of the Office of Personnel Management (OPM) breach. He set the right tone for the hearing:
“If there is something more that can be done to increase cybersecurity best practices overall, and potentially reduce the likelihood of large-scale cyber attack, this Subcommittee is going to examine it. SAFETY Act coverage for cybersecurity will not solve all our cybersecurity challenges but it has the potential to make a significant improvement in our Nation’s cyber defenses.
“In the coming weeks, the Committee on Homeland Security will consider House-passed legislation from the 113th Congress that would amend the SAFETY Act to establish a “qualifying cyber incident” threshold to trigger SAFETY Act liability protections for vetted cybersecurity technologies.”
Representative Jim Langevin (D-RI), filling in for Subcommittee Ranking Member Cedric Richmond (D-LA), delivered an opening statement that recognized the benefits of incentivizing behavior that would improve cyber hygiene. Langevin, who has spent a great deal of time pondering the proper role of the federal government in dealing with cyber issues, brought a mix of serious thought and business reality to the hearing. His opening statement can be viewed on the committee’s minority website.
Although not there to deliver it, Richmond’s written statement focused on the benefits small businesses gain from SAFETY Act coverage – an area that deserved the attention he gave it.
“Small businesses are the backbone of America’s workforce and innovation, creating most of the jobs in America. A SAFETY Act designation or certification for a new innovative product can improve a smaller company’s bottom line and help resolve their concerns about liability protections. That was the original intent of the Act in 2002. We are all concerned about the ability of American businesses, large and small, to protect their data and networks in today’s amplified cyberthreat atmosphere. The question before us is how to best encourage civilian businesses to make sure their cybersecurity efforts are state-of-the-art, and how does SAFETY Act liability protection play a key role in helping us achieve that goal, in the complex, multilayered arena of cybersecurity?”
The committee members’ opening statements AND the questions posed to the witnesses were designed to bring clarity to the subject and were not peppered with extraneous partisan political sniping. It was a breath of fresh air.
The three witnesses provided substantially differing viewpoints so that the committee got a diverse perspective. In my view, their thoughtful yet distinct “cognitive dissonance” will better inform the drafting of cybersecurity information sharing legislation, which is expected to be introduced in September upon Congress’ return from the August recess.
Brian Finch – a partner at the law firm of Pillsbury Winthrop, Ray Biagini (a partner at the law firm of Covington and Burling) and Adrea Matwyshyn (a Visiting Professor at Princeton University) educated the committee about the benefits and potential drawbacks of extending the SAFETY Act protections into the cyber domain. Finch and Biagini recommended minor “tweaks” to the language of the Act (actually a section of the Homeland Security Act of 2002) to clarify potential coverage issues, although each took a different approach to the issue.
In his written testimony, Biagini laid out a number of benefits that SAFETY Act protection brings. Included in his analysis was this observation:
“…Over the past 13 years, pursuit of SAFETY Act coverage has become a “best practice” for companies in the homeland security market, which necessarily requires such companies to demonstrate “proven effectiveness” of their anti-terror products or services. Indeed, DHS already has awarded coverage for certain cyber security solutions and technologies. DHS’s focus on “proven effectiveness” will apply equally to cyber solution providers and those companies that are deciding on the quality and scope of their cyber threat protections program. As such, the SAFETY Act should have the salutary benefit of improving the quality of cyber technology and use, thereby hardening networks and enhancing the level of cybersecurity generally throughout the U.S.”
Contrast his position with that of Professor Matsyshyn, who said the SAFETY Act was a disincentive to good cyber practices:
“The SAFETY Act’s primary feature – a grant of limited liability to companies whose products are certified by the Department of Homeland Security and to their customers – is a poor fit for stimulating improvements and incentivizing adherence to best practices in information security. SAFETY Act certifications for information security products are not likely to lead to improved information security in either the public or private sector. Instead, such grants of limited liability for information security products and services are more likely to have the inverse effect. They are likely to unintentionally create incentives for lower quality in information security products and services, indirectly undermining national security and consumer protection advancement.”
This example is only one of many that were debated – in the true sense of that word – during the roughly 90 minute proceeding. As the thoughts expressed in this hearing are incorporated into legislation on liability protection in the cyber domain, future academics, lawyers, judges and risk managers will be smart to look to this hearing as the starting place for determining congressional intent. As such, it represents one of the few times that the seriousness of an issue and the substantive contribution of public witnesses will lead to a better legislative outcome. Or so I hope.
The achieved webcast of the hearing can be viewed on the committee’s website.