This afternoon the House Republican Cybersecurity Task Force announced a report containing its recommendations on federal cybersecurity legislation pursuant to a request by the House Republican leadership to examine four critical areas: critical infrastructure and incentives, information sharing and public-private partnerships, existing cybersecurity laws, and legal authorities.
The Task Force recommends actions which could be accomplished in the current Congress, and also suggests that hearings should be held in each of the four areas:
- Critical Infrastructure and Incentives: Congress should encourage private companies to improve cybersecurity by adopting voluntary incentives including, among other things, tax credits and grant funding; Congress should also streamline existing regulations and promulgate new regulations narrowly and only as necessary. The issue of insurance and liability for breaches should also be considered to encourage companies to meet mandated security standards.
- Information Sharing and Public-Private Partnerships: A new organization outside of government should be tasked with acting as an information clearinghouse for ISPs and software and hardware vendors in the event of a breach. This model would require amendment of certain existing laws to facilitate information sharing among companies (including addressing the issue of state-by-state data breach laws), and safe harbor and liability protections should be extended to private companies cooperating with this organization.
- Updating Existing Cybersecurity Laws: Several federal laws have not been updated to keep pace with the growth of technology. Some of these include the Federal Information Security Management Act and the Computer Fraud and Abuse Act; various communications and criminal statutes (including RICO) should also be updated to reflect the current state of computer and Internet use.
- Legal Authorities: Congress needs to examine the relationship between government regulation and private business, especially concerning attacks on private entities which may have public repercussions. This discussion should include the military and intelligence communities as well as business, particularly with regard to attacks originating outside the United States.
The report concludes with brief discussions of the areas of recruitment and training of cybersecurity personnel, federal research and development, procurement and the supply chain, and coordination with international laws and establishment of international security standards.