For more than a decade, various experts have expressed increasing concerns about cybersecurity, in light of the growing frequency, impact, and sophistication of attacks on information systems in the United States and abroad. Consensus has also been building that the current legislative framework for cybersecurity might need to be revised.
The complex federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. Under current law, all federal agencies have cybersecurity responsibilities relating to their own systems, and many have sector-specific responsibilities for critical infrastructure.
More than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place. While revisions to most of those laws have been proposed over the past few years, no major cybersecurity legislation has been enacted since 2002.
Recent legislative proposals, including many bills introduced in recent Congresses, have focused largely on issues in 10 broad areas (see “Selected Issues Addressed in Proposed Legislation” for an overview of how current legislative proposals would address issues in several of those areas):
• national strategy and the role of government,
• reform of the Federal Information Security Management Act (FISMA),
• protection of critical infrastructure (including the electricity grid and the chemical industry),
• information sharing and cross-sector coordination,
• breaches resulting in theft or exposure of personal data such as financial
information,
• cybercrime,
• privacy in the context of electronic commerce,
• international efforts,
• research and development, and
• the cybersecurity workforce.
For most of those topics, at least some of the bills addressing them have proposed changes to current laws. Several of the bills specifically focused on cybersecurity received committee or floor action in the 112th and 113th Congresses, but none has become law. In the absence of enactment of cybersecurity legislation, the White House issued Executive Order 1336, with provisions on protection of critical infrastructure, including information sharing and standards development.
Comprehensive legislative proposals on cybersecurity that received considerable attention in 2012 are The Cybersecurity Act of 2012 (CSA 2012, S. 2105, reintroduced in revised form as S. 3414), recommendations from a House Republican task force, and a proposal by the Obama Administration. They differed in approach, with S. 2105 proposing the most extensive regulatory framework and organizational changes, and the task force recommendations focusing more on incentives for improving private-sector cybersecurity. An alternative to S. 2105 and S. 3414, S. 3342 (a refinement of S. 2151), did not include enhanced regulatory authority or new federal entities, but did include cybercrime provisions. S. 3414 was debated in the Senate but failed two cloture votes.
Several narrower House bills would address some of the issues raised and recommendations made by the House task force. Four passed the House in 2012 but were not considered by the Senate. They were reintroduced in passed the House again, with some amendments, in April 2013:
• Cyber Intelligence Sharing and Protection Act (H.R. 624), which focuses on information sharing and coordination, including sharing of classified information;
• Cybersecurity Enhancement Act of 2013 (H.R. 756), which addresses federal cybersecurity R&D and the development of technical standards;
• Advancing America’s Networking and Information Technology Research and Development Act of 2013 (H.R. 967), which addresses R&D in networking and information technology, including but not limited to security; and
• Federal Information Security Amendments Act of 2012 (H.R. 1163), which addresses FISMA reform.
One bill from the 112th Congress was ordered reported out of the full committee but did not[...]
The complex federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. Under current law, all federal agencies have cybersecurity responsibilities relating to their own systems, and many have sector-specific responsibilities for critical infrastructure.
More than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place. While revisions to most of those laws have been proposed over the past few years, no major cybersecurity legislation has been enacted since 2002.
Recent legislative proposals, including many bills introduced in recent Congresses, have focused largely on issues in 10 broad areas (see “Selected Issues Addressed in Proposed Legislation” for an overview of how current legislative proposals would address issues in several of those areas):
• national strategy and the role of government,
• reform of the Federal Information Security Management Act (FISMA),
• protection of critical infrastructure (including the electricity grid and the chemical industry),
• information sharing and cross-sector coordination,
• breaches resulting in theft or exposure of personal data such as financial
information,
• cybercrime,
• privacy in the context of electronic commerce,
• international efforts,
• research and development, and
• the cybersecurity workforce.
For most of those topics, at least some of the bills addressing them have proposed changes to current laws. Several of the bills specifically focused on cybersecurity received committee or floor action in the 112th and 113th Congresses, but none has become law. In the absence of enactment of cybersecurity legislation, the White House issued Executive Order 1336, with provisions on protection of critical infrastructure, including information sharing and standards development.
Comprehensive legislative proposals on cybersecurity that received considerable attention in 2012 are The Cybersecurity Act of 2012 (CSA 2012, S. 2105, reintroduced in revised form as S. 3414), recommendations from a House Republican task force, and a proposal by the Obama Administration. They differed in approach, with S. 2105 proposing the most extensive regulatory framework and organizational changes, and the task force recommendations focusing more on incentives for improving private-sector cybersecurity. An alternative to S. 2105 and S. 3414, S. 3342 (a refinement of S. 2151), did not include enhanced regulatory authority or new federal entities, but did include cybercrime provisions. S. 3414 was debated in the Senate but failed two cloture votes.
Several narrower House bills would address some of the issues raised and recommendations made by the House task force. Four passed the House in 2012 but were not considered by the Senate. They were reintroduced in passed the House again, with some amendments, in April 2013:
• Cyber Intelligence Sharing and Protection Act (H.R. 624), which focuses on information sharing and coordination, including sharing of classified information;
• Cybersecurity Enhancement Act of 2013 (H.R. 756), which addresses federal cybersecurity R&D and the development of technical standards;
• Advancing America’s Networking and Information Technology Research and Development Act of 2013 (H.R. 967), which addresses R&D in networking and information technology, including but not limited to security; and
• Federal Information Security Amendments Act of 2012 (H.R. 1163), which addresses FISMA reform.
One bill from the 112th Congress was ordered reported out of the full committee but did not[...]
