INTERNET SECURITY ALLIANCE

www.isalliance.org The Honorable Harry Reid Senate Majority Leader United States Senate Washington, DC 20510 Dear Senators Reid and McConneli: The Honorable Mitch McConneli Senate Minority Leader United States Senate Washington, DC 20510

The Internet Security Alliance (ISA) wishes to congratulate and commend the sponsors of S. 3414 for introducing this legislation. This new bill seeks to address a number of serious issues that the ISA has long urged Congress to confront and raises a range of new issues and ideas worthy of serious consideration. ISA was founded in conjunction with Carnegie Mellon University in 2000 as a multi-sector trade association with representation from most of the designated critical infrastructure sectors and a mission to work with government to create a sustainable system of cyber security. ISA has been sounding the alarm about our cyber vulnerabilities for more than a decade and has long believed that both industry and government need to do more to address the cyber threat. The ISA membership consists of cyber security experts who understand that while the threat is real and immediate, the issue is also subtle and complex. We believe Congress can and ought to pass meaningful cyber security legislation in this session. However, even well-intentioned initiatives, without careful consideration and discussion with the entities that will be affected by the proposals, can easily make our security situation worse. And that, we cannot afford. In the week we have been given to to analyze S. 3414, we have noted a range of positive modifications from previous versions of the bill, many of which have long been advocated by the ISA. These positive steps include: Elimination of the extensive regulatory structure and direct mandate authority for the Department of Homeland Security. As even supporters of the previous bill testified, under such a regulatory structure, it would take 8-10 years for the government to decide what cyber security standards they would want to impose on the private sector. This procedure is obviously out of touch with the state of modern cyber attacks and has been appropriately eliminated. The instruction to the newly created National Cybersecurity Council to work with the private sector to develop a more incentive-based system of cyber security. Cyber technology and attack methods change so rapidly that any traditional regulatory mechanism cannot hope to keep up

2500 Wilson Boulevard

Arlington, VA 22201-3834

United States of America

(1) 703/ 907-7090

(f) 703 / 907-7093

INTERNET SECURITY ALLIANCE

www.isalliance.org with these attacl<s. To engage the private sector owners and operators of the system, we need a much more dynamic motivator than traditional regulation. We need to evolve a modern 2 l " century incentive-based system of security. The bill properly suggests we move in that direction. The current bill makes better use of the private sector structures identified in the National Infrastructure Protection Plan (NIPP). The vast majority of cyber infrastructure is owned and operated by the private sector. For a sustainably secure system to evolve, we must utilize the structures that the NIPP created, such as, the Sector Coordinating Councils and the Partnership for Critical Infrastructure Security (PCIS), in true collaboration, not simply as "stake-holders" who are informed of government actions. The new bill takes positive steps toward truly integrating the NIPP partnership structure in a collaborative effort toward collective and effective cyber security. While S. 3414 does take several significant steps in the direction of a more progressive and effective cyber security policy than previous drafts, it also introduces several new concepts that require better understanding and analysis before the Senate proceeds to consider enacting them. Some of the major areas of concern include: Title I Excessive authority is granted to the new National Cybersecurity Council. Under Sec. 103(b), this entirely new entity is granted ultimate authority over cyber security practices and standards that must be implemented by the private sector. While the Council initially must take input from the Sector Coordinating Councils (SCCs), the SCCs are given inadequate time and no resources to complete this new responsibility. Moreover, under Section 103(b)(1)(D), the Council has authority to amend or add to these practices as it deems necessary, thus making the private sector input mute. Further, the Council is tasked with the enormous job of reviewing and deciding which standards for cyber security are to be implemented for critical infrastructure. Although expert agencies are referred to, their input may be quite limited. For example, the sector specific agencies do not have a meaningful role in risk assessment, and their role in determining appropriate practices is limited to ensuring that Council determined practices don't contradict existing standards. Although the Council determined standards are labeled "voluntary," the Council has the ability to force the expert sector agency to defend any

2500 Wilson Boulevard

Arlington, VA 22201 -3834

United States of America

(t) 703 / 907-7090

(f) 703 / 907-7093

INTERNET SECURITY ALLIANCE

www.isalliance.org departure from its practice adoption decisions before Congress, the practical effect is to place all authority in the hands of this new, untested Council. Although the bill calls for input from the private sector councils, such as the IT SCC and the PCIS, these councils were not consulted, or even briefed as to the practicality or process for carrying out these new roles. It must be stressed that this construction is entirely new, having never appeared in any previous bill or draft, and never been the subject of any legislative hearing. Given the stakes present in the cyber threat, and the lack of clarity or specificity of this section, it would be wise to seek input from the private sector councils during a legislative hearing process. Title IV The Security and Exchange Commission's role in cyber security must be carefully calibrated. The ISA has long argued that it is essential for economics to be woven into any realistic discussion of how to promote improved cyber security in the private sector, and, thus, we have great interest in considering the role of the SEC in this regard. In light of the SEC's recent advisory for publicly held companies to report material breaches, we have launched an assessment of that mechanism. While our investigation is not yet complete, preliminary findings suggest the SEC may be an inappropriately blunt instrument for this purpose. In fact, transforming the mission of the SEC into a cyber compliance entity, rather than one focused on protecting investors, may create more harm than good both in terms of security and investment. The language in Section 415(b), p.153-154, suggests that a cyber breach is perse a material risk. This is a misunderstanding of the state of the cyber art, wherein, virtually all systems are subject to breach from advanced threat actors. However, there are multiple mechanisms that can mitigate an attack post breach. Moreover, the academic research indicates that the stock pricing effects of cyber events are not associated so much with the breaches themselves as with the publicity surrounding a breach. As a result, the disclosure requirements called for in this provision can actually turn a breach of insignificant consequence into a material event by attracting publicity. Furthermore, since publicity will likely effect stock prices, this provision actually provides an incentive to launch attacks on companies in order to manipulate the stock, causing otherwise avoidable harm to stock owners. Once again, this provision has not been amply vetted and studied and ought not to be rushed to a floor vote in the Senate.

2500 Wilson Boulevard

Arlington, VA 22201-3834

United States of America

(t) 703 / 907-7090

(f) 703 / 907-7093

INTERNET SECURITY ALLIANCE

www.isalliance.org Title VII The new Information Sharing System is unclear and potentially counter-productive to national security needs. The process for the designation of private sector security exchanges is unclear. Moreover, national security is not included as a purpose for which information can be shared. This is essential to ensure the information is used to fullest ability, such as one-on-one information sharing with military agencies which is allowed in the House passed CISPA bill, but not S. 3414. Moreover, under Sec. 702(c), p.173, this bill even burdens those wishing to share information with another private entity by providing that the sender may not disclose cybersecurity threat indicators to another private entity that it "knows is reasonably likely to violate" provisions of the Title. Without a further definition of "reasonably likely," institutions that would like to disclose will not disclose because they will be unable to identify those institutions that fall into this category and increases the uncertainty around liability. S. 3414 seems to assume, mistakenly, that only sharing information with the government can improve our nation's security. In point of fact, there are robust private-to-private information sharing systems that we ought to be leveraging, enhancing and broadening. Unlike CISPA or SECURE IT, which provides liability protections for those private sector entities that just want to share amongst themselves and not with the government, S. 3414 provides no such provision (see the interaction of Sec. 706[a][l], p.195-196, and Sec. 703[e], p.177-178). Moreover, S. 3414 provides a significant disincentive for private companies to share information with the government, since such information could potentially be used for a variety of regulatory or investigative purposes (although it is protected from being used for criminal prosecution. Finally, the construction of S. 3414 maintains a mistaken presumption that indicators to be shared are evidence of corporate error (e.g., Sec. 708[7][vii], p.206-207: "Actual or potential harm caused by an incident, including information exfiltration resulting from defeated controls"). The term "indicator" should carry with it no presumption of compromise; so long as it does via statute, there will be legal disincentives to share useful information thus endangering our critical infrastructure more. These are just some of the many issues that need to be carefully and fully addressed prior to moving forward. ISA looks forward to working with the Senate as it analyzes the issues raised in S. 3414. It is our recommendation that S. 3414 be referred to the appropriate Committees of jurisdiction and be processed through regular order so that these novel constructions can be understood and assessed. We

2500 Wilson Boulevard

Arlington, VA 22201-3834

United States of America

(t) 703 / 907-7090

(f) 703 / 907-7093

INTERNET SECURITY ALLIANCE

www.isalliance.org believe it would be imprudent for the Senate to approve a motion to proceed on the legislation without providing adequate time and consideration to the unique ideas proposed in the bill. There are legislative proposals that do enjoy widespread support from both parties and in the private sector. Specifically, the Senate ought to move ahead with legislation such as the SECURE IT Act, which will enhance information sharing among both the public and private sectors, modernize our federal network security (so called FISMA reforms), strengthen our nations' law enforcement efforts, and streamline research and development to enhance future cyber systems. These provisions can be approved by the Senate prior to the August break, allowing them to go to conference with the already passed legislation in the House. Such action would not only be a landmark in cyber security policy for this country, but would represent the most aggressive and comprehensive effort to establish coherent cyber security policies world-wide. The state of our nation's cyber systems demands that Congress enact these consensus measures. This will not end the need for Congressional action in this space, but it will be a dramatic series of steps in the right direction and allow time for other more novel approaches to become better understood and fully developed.

Sincerely,

Larry Clinton President & CEO Internet Security Alliance cc; Members of the United States Senate

2500 Wilson Boulevard

Arlington, VA 22201-3834

United States of America

(t) 703/ 907-7090

(f) 703/907-7093