Enable breadcrumbs token at /includes/pageheader.html.twig

Will Any Meaningful Cyber Legislation Make It to the President’s Desk?

Most statutory efforts are built around codifying existing mechanisms.

No less than five pieces of cyber legislation recently have been proposed in Congress. Yet, if history is any judge, none is likely to be signed into law. The only legislation that seems to make it over the hurdles are safe acts that do not break new ground but instead reinforce existing policy.

For example, the National Cybersecurity Protection Act (NCPA) of 2014 codified the already up-and-running—for more than six years—National Cybersecurity and Communications Integration Center, or NCCIC (pronounced N-Kick). Yes that’s right; the legislation simply gave statutory “being” to an entity that has been operating for six plus years. Included in its provisions were the typical laundry list of things the NCCIC should do: provide a federal civilian interface for multidirectional and cross-sector sharing of information; enable shared situational awareness; coordinate the sharing of information; facilitate cross-sector coordination; share the analysis conducted; and provide information and recommendations. In other words, a lot of information sharing. Also included is the requirement to finally publish and maintain the National Cyber Incident Response Plan (NCIRP), which has been in draft form since 2010.

So basically the NCPA really added only a requirement that the Department of Homeland Security (DHS) take the NCIRP out of draft mode and finalize the process. This leads to my main point and also to executive action. The only cyber legislation that passes our Congress these days is uncontroversial, plain, simple legislation, such as the codification of an entity that has been running for six years—not controversial information sharing legislation.

But because the White House apparently does not have confidence in the DHS and its NCCIC capabilities, the administration created the Cyber Response Group (CRG)—sort of. It had been operating for a while, but it was reinvigorated in July 2014. However, it did create the Cyber Threat Intelligence Integration Center (CTIIC).

The CRG is to share threat information, understand plans of state and non-state actors, coordinate responses across government and identify any legal hurdles to proposed courses of action. The CTIIC is to be closely tied to the CRG and a national intelligence center focused on “connecting the dots.”

So basically, the CRG and CTIIC are to do what the DHS and the NCCIC are to do statutorily. In other words, it is a battle between “I’m just a bill” versus “I’m an Executive Order.” Well actually I am remiss—the CTIIC was created under the authority of the Intelligence Reform and Terrorism Prevention Act of 2004, so who’s to say who has precedence?

Robert Clark is an Army Cyber Institute Fellow for Cyber Law at West Point.