Cyber After Snowden

Matthew Rhoades, Director, Cyberspace & Security Program

Can DC Help Protect Your Networks?

Truman Project Members

Cyberspace & Security Program

Agenda

Looking Back – How we got here

Lame Duck

2015 and beyond

Cybersecurity & Congress 2012 - 2014

2012: The Debate on Capitol Hill

Key Pillars: 1. Critical Infrastructure

2. Information Sharing

3. DHS v. NSA

Low-Hanging Fruit: Education/Workforce

Research & Development

Cyber Awareness

FISMA Reform

Securing Critical Infrastructure

Mandatory Standards: Cybersecurity Act of 2012

v1.0 (Senate)

Voluntary Standards: Cybersecurity Act of 2012

v2.0 (Senate)

Market Solution: House of Representatives

Legislating Information Sharing

2. Who are you sharing it with? • Civilian Agency? Intelligence

Community? Department of Defense?

1. What are you sharing? • PII or Threat Signatures?

3. What can it be used for? • Limited to specific purposes?

4. What is the Standard of Liability? • Full Indemnity? Negligence?

The Interest Groups

Baseline Standards Improved Visibility

Anonymize Info Civilian Agency Clear Definitions Negligence Standard

No Mandates Legal Protection

National Security Leaders

Privacy & Civil Liberties

Business (Chamber of Commerce)

2013: Executive Order 13636

Policy Results:

“Industry-led, government facilitated” best practices (NIST)

Increase USG Industry Info Sharing

Privacy & Civil Liberties Oversight

A New Agenda for 2013

Political Result: A Smaller Congressional Agenda Critical Infrastructure Information Sharing Role of DHS

Education & Workforce Research & Development Awareness FISMA Reform

Cyber Bills

Committee United States Senate House of Representatives

Homeland Security

National Cybersecurity & Communications Integration Center Act DHS Cybersecurity Workforce Recruitment & Retention Act Federal Information Security Amendments Act

National Cybersecurity & Critical Infrastructure Protection Act Critical Infrastructure Research and Development Advancement Act Homeland Security Cybersecurity Boots-on-the-Ground Act

Commerce Cybersecurity Act of 2013

Intelligence Cyber Information Sharing Act of 2014

Cyber Intelligence Sharing and Protection Act

2014 Lame Duck (Senate)?

Other Issues?

Marketplace Fairness

Tax Extenders

Nominations

Other National Security Issues?

AUMF

Sec. 215/Sec. 702/FISA Reform

Iran

Must Do: • Continuing Resolution • Defense Authorization

Changing of the Guard

On their way out: Mike Rogers (R-MI)

House Intelligence

Buck McKeon (R-CA) House Armed Services

Carl Levin (D-MI) Senate Armed Services

Jay Rockefeller (D-WV) Senate Commerce, Science, & Transportation

Saxby Chambliss (R-GA) Senate Intelligence

Tom Coburn (R-OK) Senate Homeland Security

Next in line (?): Jeff Miller (R-FL)

House Intelligence

Mac Thornberry (R-TX) House Armed Services

Jack Reed (D-RI) Senate Armed Services

Bill Nelson (D-FL) Senate Commerce, Science, & Transportation

Richard Burr (R-NC) Senate Intelligence

John McCain (R-AZ) Senate Homeland Security

Truman Members

What happens after a crisis?

Truman National Conference Cyber Exercise 54 Teams • 34 Congressional offices • 7 Executive offices & Agencies • 9 Industry & Interest Groups • 4 Media Outlets

Day-of Crisis Exercise • National Security Council Debate • 7-9 Teams; 25 – 70 Participants • Define what happened & how to respond

What we learned…

1. Uncertainty in response to a crisis

2. In the wake of a crisis, the focus is almost entirely on protecting critical infrastructure

3. In the wake of a crisis, the second priority is developing human resources

Cyber After Snowden

Matthew Rhoades, Director, Cyberspace & Security Program

Can DC Help Protect Your Networks?