Last week, Senators Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ) introduced the Cyber Security Awareness Act of 2011(S.813). Senator Whitehouse explained the need for the bill:
“[W]e as a nation remain woefully unaware of the risks that cyber attacks pose to our economy, our national security, and our privacy. This problem is caused in large part by the fact that cyber threat information ordinarily is classified when it is gathered by the government or held as proprietary when collected by a company that has been attacked. As a result, Americans do not have an appropriate sense of the threats that they face as individual Internet users, the damage inflicted on our businesses and the jobs they create, or the scale of the attacks undertaken by foreign agents against American interests.”
To remedy this problem, the proposed legislation would require the Department of Homeland Security and the Department of Defense each to submit annual reports to Congress providing statistics about the number of cyberattacks against computers in the .gov and .mil domains, as well as the estimated costs of those attacks. The legislation also calls for annual reports from the Department of Justice and FBI about the numbers of cybercrime investigations, prosecutions, and convictions. Finally, it calls for reports on cyber vulnerabilities and proposed responses from regulators of critical infrastructure, as well as the financial industry.
I have written extensively in the past about the poor quality of public policy discourse on the issue of cybersecurity in the United States. Three issues in particular have been of concern: 1) the lack of clear definitions of key terms and problems, 2) the inconsistent use and quality of evidence backing claims of serious cyber threats, and 3) the lack of transparency by both government and industry. Thus, while I appreciate the Senators’ attempts to address the transparency issue, I am not convinced that greater transparency is truly achievable without addressing the first two concerns, which are not addressed by the proposed legislation.
First, key terms will remain undefined. The bill calls for reports to Congress from DHS and DOD about cyber “intrusions,” “breaches,” “incidents,” and “sabotage.” But it is not entirely clear what those terms (and others) actually mean. Each reporting agency could define them in a different way, making it difficult to compare results across reports and agencies. This will make it difficult to get the kind of overarching view of cybersecurity threats that the Senators claim (correctly) is badly needed.
Second, the annual timeframe of the reporting requirement will exacerbate this problem. Most reports will only be made to Congress once per year. But in the arena of quickly evolving cyber threats, this time scale is too long. While yearly or quarterly summary reports should be required, more frequent, near real-time reporting that is available on the Web should also be required.
Third, Web availability of reporting raises the question of to what degree the reports mandated by this legislation actually serve to increase public awareness. All mandated reports will be to Congress and not directly to the public. If the goal is “public awareness,” then there should be some mechanism for getting this information directly to the public in a form that is understandable and useful. In short, if the concern is public awareness of fast-moving cyber threats at a time when “open government” is supposed to be a priority, annual written reports directly to Congress with no public-facing Web component are inadequate.
Fourth, the work of generating reports meant to raise public awareness is set to occur before or co-occurent with efforts to assess “impediments to public awareness” (sec. 10). This raises two problems. One is that there is no mechanism in the legislation for the results of that assessment to shape future public awareness campaigns. The other is that there is no mandate to assess what the public currently does and does not know about cybersecurity. Ideally, current public awareness should be assessed first and then a plan created for overcoming impediments and addressing gaps in awareness. At minimum, there should be a mechanism by which reporting requirements can be changed based on the results of an assessment of public awareness and related impediments.
Fifth, in each case, reporting requirements include the option of submitting “a classified annex as necessary to protect sources, methods, proprietary or sensitive business information, and national security.” While it is understandable that some information must remain classified, it is not clear how this legislation will guard against the well-known tendency towards over-classification, which is a key cause of poor public awareness of cyber threats in the first place.
Finally, another contributor to poor public awareness (and, hence, poor public discourse on cybersecurity) is the way in which evidence is deployed (or not) in support of claims made about cyber threats and vulnerabilities. There are too many claims made that are insufficiently supported with adequate evidence (see my previous posts linked above). The proposed legislation does nothing to address that problem. For example, it asks for “estimated costs for remedying the breaches” from both DHS and DOD. But how will Congress and the public be certain about the accuracy of these estimates or the data and methods used to calculate them? Add in the lack of agreed definitions and there is a very real possibility that instead of meaningfully increasing public awareness, these reports will merely serve as one more vehicle for reporting agencies to pad their own budget requests.
In conclusion, while the spirit of the Senators’ legislation is to be applauded, it is not clear that it will actually solve the problem it seeks to address. What’s more, if problems of definition, over-classification, and questionable use of evidence are not adequately addressed, the legislation could actually serve to further undermine public awareness instead of improving it.