Legislative Branch Activity

Cybersecurity Legislation

Last week, Department of Homeland Security (DHS) Secretary Jeh Johnson offered some encouraging news to cybersecurity stakeholders in comments at the Reuters Cybersecurity Summit, noting that he believes that Congress is likely to agree on cybersecurity legislation this summer. While he did not comment on any of the specific bills that are currently being considered in Congress, he did say that cybersecurity legislation could include limited liability for some targeted, specific transactions to protect companies that choose to share information about cybersecurity threats. In addition, he said that legislation should also update the Federal Information Security Management Act (FISMA), clarify DHS’s role and authority to protect government web networks, and clarify the process for information sharing between the private sector and the federal government.

Hearings this Week

  • Wednesday, May 21: The House Homeland Security Subcommittee on Counterterrorism and Intelligence and Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies will hold a joint hearing titled “Assessing Persistent and Emerging Cyber Threats to the U.S. Homeland.”
  • Wednesday, May 21: The Senate Homeland Security and Governmental Affairs Committee will hold a mark-up to consider a number of bills, including the DHS Cybersecurity Workforce Recruitment and Retention Act of 2014. This bill has not officially been introduced at this time.

Executive Branch Activity

NIST Cybersecurity Framework

Several events are planned for the coming months as the National Institute of Standards and Technology (NIST) and DHS work with cybersecurity stakeholders to implement the NIST Cybersecurity Framework that was officially unveiled in February. NIST is planning to release a status update in the coming weeks on its implementation efforts thus far and to address feedback that NIST has received on areas noted in the Framework document for further development, such as future governance and specific technical areas. In addition, NIST officials have indicated that they will provide more public comment opportunities in the future on various aspects of the Cybersecurity Framework.

DHS is currently working with stakeholders on implementation of the NIST Cybersecurity Framework through its Critical Infrastructure Cyber Community (C3 or C-Cubed) Voluntary Program. The C3 Program will be hosting a couple of workshops including one on June 18 in Cambridge, Massachusetts and another in September in San Francisco, California. In addition, DHS will host a number of sector-specific workshops to discuss the Framework’s implementation, including one with the financial services sector in New York City, New York in August.

The Small Business Administration (SBA) is also planning to announce a series of seminars related to the implementation of the Cybersecurity Framework for small businesses and to discuss cybersecurity issues in general.

International Cybersecurity Norms

In April, the North Atlantic Treaty Organization’s (NATO) cybersecurity center of excellence held a workshop with 26 experts from around the world to discuss the development of norms of behavior in cyberspace and international relations efforts related to cybersecurity. Participants at the workshop discussed what international cyber norms would look like, what their scope would be, how they would be used in different contexts, how to implement
the norms and what other factors need to be considered when seeking to delineate common standards of international behavior. NATO is planning to have a follow-up workshop this June in Estonia. In addition, NATO’s cybersecurity center of excellence will also issue a report on cyber norms by the end of the year.