Cybersecurity & Tech Surveillance & Privacy

Obama Administration SAP On Rogers-Ruppersberger

Paul Rosenzweig
Wednesday, April 25, 2012, 4:11 PM
In an earlier post I commented on the politics of the cybersecurity debate.  I wrote: "One final piece of the political calculus is what the Administration wants.  Right now all public signs are that they want BOTH information sharing AND the regulatory structure.  If it is an 'all or nothing' proposition we might well wind up with nothing, or in a game of chicken over blame.  On the other hand, if the Administration agrees to half a loaf that probably means that is all they will get." I'm feeling particularly prescient today. 

Published by The Lawfare Institute
in Cooperation With
Brookings

In an earlier post I commented on the politics of the cybersecurity debate.  I wrote: "One final piece of the political calculus is what the Administration wants.  Right now all public signs are that they want BOTH information sharing AND the regulatory structure.  If it is an 'all or nothing' proposition we might well wind up with nothing, or in a game of chicken over blame.  On the other hand, if the Administration agrees to half a loaf that probably means that is all they will get." I'm feeling particularly prescient today.  The Administration has just issued a Statement of Administration Policy (known in government jargon as a SAP, though why anyone would want to use that acronym in a positive way is beyond me).  It seems that the Administration wants the whole loaf and is willing to play a game of "chicken" with the Republican party.  Here is a taste:
The Administration is committed to increasing public-private sharing of information about cybersecurity threats as an essential part of comprehensive legislation to protect the Nation's vital information systems and critical infrastructure.  The sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace.  Cybersecurity and privacy are not mutually exclusive.  Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation's core critical infrastructure from cyber threats.  Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form. * * * * Legislation should address core critical infrastructure vulnerabilities without sacrificing the fundamental values of privacy and civil liberties for our citizens, especially at a time our Nation is facing challenges to our economic well-being and national security.  The Administration looks forward to continuing to engage with the Congress in a bipartisan, bicameral fashion to enact cybersecurity legislation to address these critical issues.  However, for the reasons stated herein, if H.R. 3523 were presented to the President, his senior advisors would recommend that he veto the bill.
This is all exceedingly unfortunate.  Much of what the Administration writes here (and in more detail in the SAP) can also be said of the McCain alternative to the Collins-Lieberman bill.  I suspect that someone has made the judgement that nobody will get blamed for the failure of cybersecurity legislation (at least not before the next election) and that it is more important to stand behind the Administration's proposal than it is to seek compromise.  Most notably, the SAP comes down four-square for the Collins-Lieberman regulatory structure:
The Administration's proposal also provided authority for the Federal Government to ensure that the Nation's critical infrastructure operators are taking the steps necessary to protect the American people.  The Congress must also include authorities to ensure our Nation's most vital critical infrastructure assets are properly protected by meeting minimum cybersecurity performance standards.  Industry would develop these standards collaboratively with the Department of Homeland Security.  Voluntary measures alone are insufficient responses to the growing danger of cyber threats.
But that regulatory proposal is anathema to Republicans (rightly in my judgment).  If the Administration's bottom line is that it must have the regulatory structure then no compromise is possible. If cybersecurity legislation dies in this Congress, I suspect that we will look back on today as the day that it died. [UPDATE:  And here is the joint statement response from Chairman Mike Rogers and Ranking Member C.A. "Dutch" Ruppersberger:
“The basis for the Administration's view is mostly based on the lack of critical infrastructure regulation, something outside of our jurisdiction.  We would also draw the White House's attention to the substantial package of privacy and civil liberties improvement announced yesterday which will be added to the bill on the floor. The SAP was limited to the bill in "its current form" - however, as the bipartisan managers of the bill announced yesterday - they have agreed to a package of amendments that address nearly every single one of the criticisms leveled by the Administration, particularly those regarding privacy and civil liberties of Americans. Congress must lead on this critical issue and we hope the White House will join us.”]

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare