Every year, the NTSC brings a sorely needed constituency to the Hill: CISOs. Members of Congress and their staffers—with enthusiasm—welcome the ideas and input of CISOs during our many discussions about the NTSC’s policy priorities. Our Congressional meetings on July 11, 2019 proved dynamic, substantial, nonpartisan, and practical. In this blog post, we summarize at a high level the productive discussion that occurred between CISOs and representatives on our Legislative Day.
Many representatives agree that we need national data breach notification legislation. States’ rights were previously a sticking point, but that’s no longer the case. 54 different state, territorial, and district laws exist along with notification requirements for different verticals and regulatory agencies. The proliferation of numerous, conflicting data breach notification laws means pre-emption makes sense for many legislators.
To move forward, it’s critical to the success of any national data breach notification bill that the retail industry agrees to its established principles. The NTSC has previously reached out to the retail industry and will continue to engage with them as we seek input into what legislation will serve all businesses well and, thus, have a good chance of passing. Any legislation must also clearly protect people’s information, but getting constituents interested is a problem. People only seem to get upset about this issue when they feel the impact of a major data breach. Otherwise, the consumer doesn’t feel “hurt,” even though the average consumer is hurt by existing data breach notification laws because consumers in different states get less protection. When Anthem got hit with a data breach in 2015, some consumers received better protection depending on where they lived.
Questions also arose related to enforcement, such as what agency would be responsible for enforcing civil and financial penalties on companies if we pass a national data breach notification bill. DHS could ultimately play this role but it would complicate the relationship between CISA and the private sector.
The NTSC discussed the idea of creating model legislation and providing Congress the first draft of a bill we’d like to see—cutting and pasting from previous bills such as Rep. Blaine Luetkemeyer’s (R-MO) bill that focused only on financial services in attempt to get something passed. Discussion also centered on definitions such as “harm” that are problematic.
The Democrats in the House are not prioritizing data privacy as an issue right now. However, some representatives are keeping their focus on data privacy as they watch the impact of state laws (such as the California Consumer Privacy Act) coming into effect and how poor data privacy handicaps the US when it negotiates trade agreements with other countries. The NTSC is taking interest in the Information Transparency & Personal Data Control Act, introduced by Rep. Suzan DelBene (D-WA-01). Rep. Cathy McMorris Rodgers (R-WA) has also put out data privacy principles aiming toward one standard. As a part of contributing to the dialogue, the NTSC offered to draft a set of privacy principles that we want to see in a bill.
Language in a privacy bill becomes very important, such as the controller versus the processor of information, defining a “covered entity,” or pinning down data localization and portability. If companies are in possession of information, regardless of the situation, they would have to comply with a privacy law if they are considered a “covered entity.” In some cases, if a company holds information, they won’t be accountable for it. The tough part is that creating definitions can also create exclusions.
Before 9/11, many warning signs existed that such an attack was coming, and we were ignoring them. The same thing is happening with cybersecurity right now. We heard concerns about the lack of a cyber czar and many problems with public-private information exchange. Some discussion also occurred about risk management frameworks with DHS and NSA along with the need to build unclassified frameworks that help with interoperability, data sharing, and collaboration.
Representatives recognized the seriousness of the cybersecurity talent shortage and the need for innovative academic programs, often referencing programs at colleges and universities in their districts. While good that many four-year cybersecurity programs are sprouting up, it’s also important to see more cybersecurity programs at technical colleges, community colleges, and even programs not involving degrees. We need to stop pushing the narrative of the four-year cybersecurity degree as the only way for people to begin a cybersecurity career.
Someone mentioned that the Department of Education should get more behind cybersecurity workforce development. It’s a great opportunity for them—they know curriculum development and have relationships with universities. We also talked about the importance of hiring more professors who work in the day-to-day world of cybersecurity. For example, professors could work four days a week and teach one day a week. Cutting through red tape or providing incentives for companies would encourage cybersecurity leaders to become teachers so that the number of teachers also working in companies increases. The NTSC noted that passion for teaching doesn’t always make for good teachers, so we also need to explore ways to train and qualify these employee-teachers. The status quo is that universities want people with master’s degrees or doctorates. How do we remove these academic barriers to supply more teaching talent?
Many representatives asked us about AI, giving CISOs the opportunity to educate and offer insights about this emerging and evolving technology. Similar to our discussions at the NTSC National CISO Policy Conference, we explained that AI is a buzzword. Instead, we should ask what AI capabilities are actually available. We talked about automating existing processes, technical aspects behind machine learning, augmented (rather than artificial) intelligence, and AI working better with humans as a part of it. To use a basketball analogy, with AI we can currently do slam dunks and long three pointers but not mid-range shots. With a tremendous amount of data, AI can see connections that humans can’t see, but we are currently at the stage where AI can mostly optimize something versus solving problems.
Our Legislative Day continues our ever-expanding dialogue between CISOs and the Hill. We use this experience to clarify our policy issues, discuss them with Congress, and walk away with specific action items to advance our mission.
The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, underwriter, or contributing expert? Contact us to learn about ways you can contribute.