Cyber After Snowden Can DC Help Protect Your Networks? Matthew Rhoades, Director, Cyberspace & Security Program
Truman Project Members
Cyberspace & Security Program
Agenda Looking Back How we got here Lame Duck 2015 and beyond
Cybersecurity & Congress 2012-2014
2012: The Debate on Capitol Hill Key Pillars: 1. Critical Infrastructure 2. Information Sharing 3. DHS v. NSA Low-Hanging Fruit: Education/Workforce Research & Development Cyber Awareness FISMA Reform
Securing Critical Infrastructure Mandatory Standards: Cybersecurity Act of 2012 v1.0 (Senate) Voluntary Standards: Cybersecurity Act of 2012 v2.0 (Senate) Market Solution: House of Representatives
Legislating Information Sharing 1. What are you sharing? PII or Threat Signatures? 2. Who are you sharing it with? Civilian Agency? Intelligence Community? Department of Defense? 3. What can it be used for? Limited to specific purposes? 4. What is the Standard of Liability? Full Indemnity? Negligence?
The Interest Groups Baseline Standards Improved Visibility National Security Leaders No Mandates Legal Protection Privacy & Civil Liberties Business (Chamber of Commerce) Anonymize Info Civilian Agency Clear Definitions Negligence Standard
2013: Executive Order 13636 Policy Results: Industry-led, government facilitated best practices (NIST) Increase USG Info Sharing Industry Privacy & Civil Liberties Oversight
A New Agenda for 2013 Political Result: A Smaller Congressional Agenda Critical Infrastructure Information Sharing Role of DHS Education & Workforce Research & Development Awareness FISMA Reform
Cyber Bills Committee United States Senate House of Representatives Homeland Security National Cybersecurity & Communications Integration Center Act DHS Cybersecurity Workforce Recruitment & Retention Act Federal Information Security Amendments Act Commerce Cybersecurity Act of 2013 Intelligence Cyber Information Sharing Act of 2014 National Cybersecurity & Critical Infrastructure Protection Act Critical Infrastructure Research and Development Advancement Act Homeland Security Cybersecurity Boots-on-the- Ground Act Cyber Intelligence Sharing and Protection Act
2014 Lame Duck (Senate)? Must Do: Continuing Resolution Defense Authorization Other Issues? Marketplace Fairness Tax Extenders Attorney General Nom. Nominations Other National Security Issues? AUMF Sec. 215/Sec. 702/FISA Reform Iran
Changing of the Guard On their way out: Mike Rogers (R-MI) House Intelligence Buck McKeon (R-CA) House Armed Services Carl Levin (D-MI) Senate Armed Services Jay Rockefeller (D-WV) Senate Commerce, Science, & Transportation Saxby Chambliss (R-GA) Senate Intelligence Tom Coburn (R-OK) Senate Homeland Security Next in line (?): Jeff Miller (R-FL) House Intelligence Mac Thornberry (R-TX) House Armed Services Jack Reed (D-RI) Senate Armed Services Bill Nelson (D-FL) Senate Commerce, Science, & Transportation Richard Burr (R-NC) Senate Intelligence John McCain (R-AZ) Senate Homeland Security
Truman Members
Crisis Exercise National Security Council Debate: Define what happened & how to respond Scenario: Water Contamination linked to Cyber Hizbollah DDoS on AMEX & Visa linked to SEA
How Would You Advise the President Define the act as: 1. Criminal 2. Armed Attack 3. Unsure Respond by: 4. Diplomatic Means 5. Cover Measures 6. Kinetic Measures 7. Unsure
TruCon Legislative Exercise Begins 30 days after crisis: Scenario: 2 FL power plants offline Goal: Pass legislation 350 Players/54 Teams Congress; Administration; Media; Industry & Advocacy
What would be the centerpiece of your legislation.. 1. Critical Infrastructure Standards 2. Information Sharing 3. Privacy & Civil Liberties 4. Data Breach 5. Research & Development 6. Education & Workforce Development 7. Other
What we learned 1. Inconsistency in response to a crisis 2. In the wake of a crisis, the focus is almost entirely on protecting critical infrastructure 3. In the wake of a crisis, the second priority is developing human resources
Cyber After Snowden Can DC Help Protect Your Networks? Matthew Rhoades, Director, Cyberspace & Security Program