By David N. Fagan and Kristen E. Eichensehr
On March 28, our firm hosted an event, co-sponsored with The Chertoff Group, on Legal and Policy Developments in Cybersecurity. The event featured keynote addresses by former Secretary of Homeland Security Michael Chertoff, now Senior Of Counsel with Covington and founder of The Chertoff Group, and Representative Mike Rogers (R-MI), Chairman of the House Permanent Select Committee on Intelligence (“HPSCI”) and principal sponsor of the Cyber Intelligence Sharing and Protection Act (“CISPA”), which passed the House last year and is expected to be re-introduced and voted upon in HPSCI soon.
The program also included a panel discussion examining the scope of the cybersecurity threat confronting the government and private sector; how law, regulation, and policy may address the threat; and certain competing policy imperatives, including balancing security and economic considerations. The panel included three partners at Covington — David Fagan (who moderated), John Veroneau (international trade), and Robert Nichols (government contracting) — along with Prescott Winter, Managing Director of the Chertoff Group; James Mulvenon of Defense Group, Inc.; and Scott Aaronson of the Edison Electric Institute.
As Congress moves toward votes on cybersecurity legislation, we thought it would be timely to offer some reflections on the program and panel discussion. In particular, while cybersecurity is a topic du jour in Washington and the press, the program sought to dig deeper than the headlines, unpack the complexity of cybersecurity, and explore how the interconnection of systems and the related threats impact various legal, policy, and business considerations. The following are some observations from the event:
- Challenge of Meaningful Information Sharing. There is a need for smart mechanisms for cybersecurity threat information sharing to enhance the defenses of networks without triggering privacy concerns. At our event, Chairman Rogers announced that his staff is working to address the concerns of the privacy community, and the Committee’s approach on this front was revealed yesterday. However, as the panel discussion on March 28 noted, “North-South” or “South-North” information sharing — i.e., information sharing between the government and private sector and vice-versa, which is the focus of much of the privacy debate — is not the only information sharing mechanism. There also can be “East-West” (i.e., among the private sector) sharing. In fact, the panel noted that the Defense Industrial Base (“DIB”) pilot program on information sharing became much more effective when it expanded to more participants and the participants received clarity that sharing among themselves pursuant to the DIB pilot would not raise antitrust concerns. Accordingly, how cybersecurity legislation addresses private sector-to-private sector information sharing is a key item to monitor.
- What Happens with Liability Protection? The Executive Order directs the federal government to establish a Cybersecurity Framework to address risks to critical infrastructure and to develop incentives for owners and operators of critical infrastructure to participate in the Framework. However, the federal government cannot offer liability protection in the absence of legislation. The panelists generally agreed that liability protection was the biggest piece of the cybersecurity puzzle missing from the Executive Order, and industry is closely monitoring the Administration’s implementation and the Hill’s reactions to the Executive Order in light of this missing piece.
- Supply Chain Considerations. While many cybersecurity threats arise from relatively unsophisticated attacks — spear phishing, infected thumb drives, etc. — the panel discussion several times returned to the more complex and sophisticated risks that the realities of a global supply chain present to U.S. information networks. The panel acknowledged the risks arising from the fact that components of U.S. information networks inevitably will be made abroad, but also sounded cautionary notes against over-reaction. Foreign ownership of information technology (“IT”) firms and foreign supply of IT components is inevitable in a global, interconnected economy, and the critical challenge, therefore, is how to manage the risk. Indeed, as one panelist noted, the mindset for companies and the government cannot be that they will keep out all threats; rather, they must recognize that perimeter defenses are insufficient and learn to function in a network compromised by malware and advanced persistent threats. In all events, based on recent comments from Chairman Rogers and the recent controversy over IT supply chain restrictions in the continuing funding resolution, these supply chain issues are likely to gain attention in Washington.
- Global Trade Considerations. In connection with the supply chain discussion, John Veroneau noted that the massive losses of trade secrets from cyberespionage may shift the national security establishment’s focus from controlling exports to controlling imports, and that the long-standing assumption that open markets are good for the U.S. economy is being challenged by the fact that U.S. companies now must compete with market players that receive aid from foreign governments. These points touch on a broader issue related to the U.S. approach to cybersecurity and, in particular, supply chain risks — namely, what impact will a policy approach that aggressively pursues supply chain and cybersecurity risks have on global trade rules and commitments? International trade rules are predicated on the benefits that the U.S. and global economy receive from the free flow of goods and services and competition in the marketplace. Thus, when policy-makers and businesses consider cybersecurity risks arising from the sourcing of foreign equipment, they must also evaluate a range of economic considerations. These economic considerations include the extent to which end-users/customers of the equipment and software benefit from increased market competition due to the inclusion of foreign suppliers, and how particular security solutions that the United States adopts could impact U.S. businesses and their position in other markets.
- First to Regulation – Government Contractors? The panel also emphasized that cybersecurity and supply chain requirements will likely first impact industry and the U.S. economy through government procurement. As Robert Nichols noted, government contractors are likely to be at the forefront of government regulation on cybersecurity. Indeed, the most recent National Defense Authorization Act includes cybersecurity provisions, and the Federal Acquisition Regulatory Counsel has also considered cybersecurity rules.
The panel discussion also touched on two final points. First, the level of understanding and attention to the cybersecurity issue inside the Beltway in Washington is higher than in the rest of the country. Inside the Beltway, those who participate in cybersecurity discussions are familiar with concepts such as Advanced Persistent Threats and “active defense,” but, although cybersecurity is very much a headline for businesses across the country, these detailed terms are less familiar or even totally unfamiliar business leaders and their lawyers outside the Washington policy discussion.
Second, this disconnect between those inside and outside of the Beltway reflects in part the complexity of the cybersecurity issue. Cybersecurity is a technological, social, international, and legal issue, and each aspect has its own complexities. Indeed, on the legal aspect alone, our panel touched on government contracting law, liability protections, privacy and information security, computer crime laws, antitrust, intellectual property protections, and international trade and briefly alluded to insurance. As the breadth of that list makes clear, cybersecurity is the domain of everyone, but one mastered by virtually no one — all the more reason it will be an interesting issue to follow.