Earlier this month, we celebrated the 10th anniversary of the creation of the Department of Homeland Security. It is worth reflecting on what was created 10 years ago, and the authority imparted to it. The Department of Homeland Security represented the largest reorganization of the U.S. government since the creation of the Department of Defense in the late 1940s, and we crafted the Homeland Security Act so the nation would have at its disposal a flexible, forward-leaning agency.
While the department has had its ups and downs over the past 10 years, for the most part, its employees and its leaders, all the way through to Secretary Janet A. Napolitano, have done a fine job of protecting our nation. What has pleased us most, however, is the legislation that passed has proven to be adaptable to meet any number of emerging threats. This is especially true as the current Congress and the Obama administration are working to combat the latest and perhaps most urgent threat — cyberattacks.
The facts about cyberattacks are well-known: Tens of thousands of new pieces of malware emerge daily, with the public and private sector constantly being probed or outright attacked. It seems as though our nation can now be measured in two types of entities: those who have been hacked and those who don’t realize they have been hacked. The consequences of these attacks can range from embarrassing, with the release of otherwise private or sensitive information, to economically ruinous, with the theft of intellectual property, and all the way to catastrophic, with the damage to or destruction of critical infrastructure.
It is no wonder, then, that the past two years have seen great debate in the White House and the Congress over how to better prepare ourselves to confront a cyberattack. Some have advocated increased government regulation, with various federal agencies setting a floor for minimum cybersecurity. Others have argued that while the federal government itself could be doing more, the best role it can take with the private sector would be to encourage it to responsibly share sensitive threat information with at-risk entities. Not surprisingly, the gulf between these two visions is wide. The result has been a legislative stalemate that, despite the personal appeals from Senate leaders and the president himself, is nowhere near resolution.
Without weighing in on this debate, it is vital to address one point repeatedly heard during the debate on cybersecurity legislation. Both Congress and the White House have consistently stated that there is little that can be done to promote good cybersecurity through liability protection without legislative action. Liability protection, of course, is critical because without it, companies may not be willing to offer advanced solutions or adopt them for fear of facing endless second-guessing through litigation after an attack has occurred. If you think this fear is overblown, just ask any defendant in the nearly endless post-Sept. 11 litigation, or from the 1993 World Trade Center attack, for that matter.
The comments on liability protection are both right and wrong. It is true that the creation of affirmative liability protection requires action by Congress, but people are incorrect when they assert that there is little that can be done now to offer liability protections for cybersecurity technologies and services. The fact is that when we passed the Homeland Security Act in 2002, we included just such liability protections, and they are ready for use right now.
Contained within the Homeland Security Act is a law known as the Safety Act. We included the Safety Act in the Homeland Security Act because we did not know where the next attack would come from or who would conduct it. Given that another attack of any scale could happen at any time, we decided that we needed to encourage the private sector to sell and use products and services to deter, defeat or mitigate future attacks. This is because as big as the Department of Homeland Security was going to be, it could not and should not be everywhere. The best way we could encourage the sale and use of security products and services would be to tie their use to meaningful liability protections. That is exactly what we did with the Safety Act, a law that says if you sell or use a useful and effective technology, we will guarantee you a range of liability protections that can be asserted when the inevitable post-attack litigation occurs.
In the 10 years since its passage, the Safety Act has been one of the most effective and beneficial programs administered by the Department of Homeland Security. More than 500 technologies and services have been granted these liability protections by the department, ranging from security-guard services to engineering standards. What many people don’t realize, however, is that this program applies equally to cybersecurity products and services as well. Applying these safeguards to cybersecurity was a deliberate decision in 2002. Everyone knew full well that cyberattacks were a possibility, and the Safety Act was drafted specifically so that it would encompass cybersecurity technologies and so that the defenses could be asserted in court after a cyberattack. It even included the definition of an “act of terrorism” (the trigger for the liability protections) so that there was no need to identify who conducted the attack or their motivation. So long as the attack was intended to cause damage to U.S. persons, property or economic interests, the liability protections are available for use.
There is no question that the Safety Act applies in the “cyber” context. Homeland Security has already granted these protections to a few cybersecurity technologies, and the department has confirmed that such protections will apply to a cyberattack, regardless of the identity of the attacker. So what remains is for the private sector to realize that this powerful tool is at its disposal, and that companies should be taking advantage of it now. Using this program more broadly will pre-empt the need for duplicative risk-management programs, provide more stability to insurance markets and, most importantly, will encourage the greater use of effective cybersecurity technologies.
To borrow from an old saying, we are firm believers in examining the U.S. Code twice and legislating once. While more could certainly be done to enhance the Safety Act with respect to cybersecurity concerns (especially as related to providing protections when sharing cyberthreat information), with the Safety Act on the books, there is no need to race to legislate new liability protections. Instead, the country should be taking advantage of a program that already exists and — most importantly — is working.
Former Rep. J. Dennis Hastert, a senior adviser at Dickstein Shapiro LLP, served as speaker of the House from 1999 to 2007. Former Rep. Pete Hoekstra, a senior adviser at Dickstein Shapiro, was chairman of the House Permanent Select Committee on Intelligence. Brian Finch is a partner at Dickstein Shapiro.
By Andrew P. Napolitano
The president's men trash the Constitution to pursue antagonists