Diving into lawmakers’ data breach liability quandary
With help from Eric Geller
Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— A Cyberspace Solarium Commission proposal to hold companies liable for certain breaches is hitting roadblocks in Washington.
— Also getting pushback: a proposed amendment in the National Defense Authorization Act pushing the administration to share more information about when it discloses security flaws to contractors.
— Some of cybersecurity policy’s heavy-hitters, including CISA Director Jen Easterly and National Cyber Director Chris Inglis, are on deck to testify in Congress this week.
HAPPY MONDAY, and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin. Make sure you say your good-byes to the Dave Thomas Circle Wendy’s here in D.C. before it closes up shop this week to make way for a redesign of that awful intersection. The change is definitely for the best, but as a former Wendy’s fanatic, that weird little fast-food joint will always hold a special place in my heart.
Have story tips for MC? Or feedback on what we should include in the newsletter? Send all of your thoughts to [email protected]. Follow @POLITICOPro and @MorningCybersec. Full team contact info below. Let’s get to it:
WHOSE LIABILITY IS IT ANYWAY — A Cyberspace Solarium Commission proposal to allow Americans to sue companies for cyber incidents resulting from product vulnerabilities is hitting a familiar dilemma in Washington: Is it better to punish companies for their shoddy practices or exempt them from liability to encourage information-sharing? Or can you do both?
Those are among the types of questions that have stopped lawmakers from moving forward on the commission’s proposal, as Eric reports for Pros this morning. Unlike more modest cybersecurity policy proposals, this one isn’t included in the must-pass National Defense Authorization Act, and several key committees haven’t even taken up the policy proposal this year.
The proposal would make “final goods assemblers,” rather than intermediaries, liable for breaches and hacks resulting from known vulnerabilities. But skeptics of this approach say it’s still going to be difficult for Congress to determine which company should be open to lawsuits for a particular breach, or when that liability should apply. For example, how strenuously does a company have to try to alert its customers that a patch for a software flaw is available?
— Or, as one tech trade group representative told Eric: “If you think you've solved this, you’re probably wrong.”
Getting companies on board with the idea is a tough sell, especially when Congress has been using liability protections as a bargaining chip to get the private sector on board with other possible new cybersecurity measures. For instance, proposed breach-reporting mandates in both a Senate Intelligence Committee bill and a House Homeland Security draft would exempt those reports from liability to ease the industry’s nerves about sharing information about hacks and data breaches.
Although there hasn’t been a huge public pushback to this proposal, the U.S. Chamber of Commerce, one of the most influential industry groups, still isn’t on board: Matthew Eggers, the group’s vice president of cybersecurity policy, told Eric it would prefer “not to impose liability.”
BRINGING BACK AN OLD DEBATE — As the House prepares for a floor vote on the NDAA this week, a proposed cybersecurity amendment is bringing up old wounds: whether and how to expand the executive branch’s Vulnerabilities Equities Process.
The process charters a board of several government agencies — the Pentagon, NSA, CIA, FBI and the Homeland Security Department — to decide when the government should notify affected entities about security vulnerabilities the government discovers. Although the Trump administration revamped the process in 2017, the program has come under scrutiny for favoring military and intelligence agencies and lacking transparency about how the decision to share vulnerability information is made.
— To combat that, the amendment by Rep. Tom Malinowski (D-N.J.) would update a reporting requirement that influences what is shared with Congress about the VEP process. Under this amendment, those who run the VEP would need to report on more specifics about the results of their votes, such as how many vulnerabilities had been disclosed and how many times someone appealed one of their decisions.
Some of this information is already shared with Congress through its oversight processes. But six of the new reports could be “construed as intruding into the president’s ability to oversee a unified executive branch,” said Michael Daniel, the CEO of the Cyber Threat Alliance and the former Obama cybersecurity adviser who helped create the program. That includes the reports detailing how many of the votes were unanimous, how many were appealed and how many appeals were granted.
“Typically, that’s not the kind of information the executive branch wants to disclose outside of the interagency process, even to Congress,” Daniel told MC in an email.
— Not helping matters: The amendment would also require these reports be released to the public, rather than staying classified with Congress. “Even though I am a strong supporter of transparency, I’m not sure that’s a wise policy,” Daniel said.
— More to come: This is one of dozens of amendments that touch on cybersecurity policy, including those aimed at beefing up CISA’s budget and others that eye an extension of CISA appointment term limits. The House Rules Committee meets at noon today to set the parameters of debate on the NDAA and decide which of the more than 800 amendments will get a vote.
SPEAKING OF CONGRESS — The Senate Homeland Security Committee has a loaded cybersecurity policy agenda this week with two hearings scheduled featuring heavy-hitters like Homeland Security Secretary Alejandro Mayorkas, CISA Director Jen Easterly and National Cyber Director Chris Inglis. Here are some things to watch:
— A “cyber 9/11” discussion: This term is controversial in cyberland, but at a hearing Tuesday about the national security landscape in the decades following the Sept. 11 terror attacks, expect the metaphor to come up. Witnesses include Mayorkas, FBI Director Christopher Wray and National Counterterrorism Center Director Christine Abizaid.
Government officials have a habit of bringing up cybersecurity issues whenever they discuss the future of U.S. counterterrorism efforts. For example, ahead of the attacks’ 20th anniversary earlier this month, Inglis told attendees at a Reagan Institute event that the failure in interagency communications ahead of Sept. 11 are similar to the ones seen in cybersecurity today.
Expect similar themes as the same cast of witnesses testifies on the same topic before the House Homeland Security Committee on Wednesday.
— Threats to critical infrastructure: Inglis, Easterly and federal CISO Chris DeRusha will testify Thursday during a Senate Homeland Security Committee hearing about protecting federal government and critical infrastructure systems.
This will be the first time both Inglis and Easterly testify at a congressional hearing since their nomination hearings in June, and after a busy summer, expect the hearing to be jam-packed with questions about everything from implementation of the Biden administration’s cyber executive order to tackling ransomware gangs and Russia.
WHAT SHOULD WE KNOW — The Commerce Department’s Bureau of Industry and Security will publish a request for comments today about what the public thinks should be included in a forthcoming report on the “supply chains for critical sectors and subsectors of the information and communications technology industrial base,” according to a Federal Register notice. The report is mandated in President Joe Biden’s February supply chain executive order and due within a year. The bureau is working on it alongside DHS.
From CISA’s Allan Friedman in honor of yesterday’s “International Talk Like a Pirate Day”: “Capn Larry, the #SBOM pirate, warns ye to never set sail in a vessel if ye don’t know what she’s built of!”
DEPT. OF CORRECTIONS — Friday’s Morning Cybersecurity incorrectly stated the number of graphic novels CISA has released. The latest one is the agency's second.
— The Treasury Department is expected to impose sanctions as early as this week aimed at making it more difficult for hackers to use cryptocurrencies for ransom payments. (The Wall Street Journal)
— Encrypted chat app Telegram has become a hotbed for sharing stolen data from breaches and leaks. (Financial Times)
— “An American Company Fears Its Windows Hacks Helped India Spy On China And Pakistan” (Forbes)
— Opinion: “Arizona’s Audit Continues to Be a Chaotic Mess” (The Atlantic)
— Russian meddling in German elections is intensifying, officials warn. (Bloomberg)
Chat soon.
Stay in touch with the whole team: Eric Geller ([email protected]); Bob King ([email protected]); Sam Sabin ([email protected]); and Heidi Vogt ([email protected]).
Gloss