- Gentlemen, start your drones: Judge’s ruling opens door for commercial use
- Soldier who hid, bragged about not saluting flag to be punished — in secret
- ‘Maverick’ of the seas: ‘Top Gun’ school for U.S. ship officers to launch
- Putin declares Sochi Paralympics open amid Ukrainian protest
- ‘In Jesus name, we pray’ sparks ire at Ohio council meeting
- Navy’s first laser weapon ready for prime time; drone killer to deploy this summer
- Billionaire backer: Rick Santorum ‘needs to be heard’ in 2016
- Obamacare fallout: 49 percent pessimistic; 45 percent ‘scared’
- DHS accused of holding U.S. citizen at airport, using emails to pry into her sex life
- Seattle socialist: Minimum-wage discussion skewed by ‘right-wing’ GAO analysis
HASTERT, HOEKSTRA AND FINCH: Watching the backs of sentinels resisting cyberattacks
Liability protections safeguard technology that protects the nation
Earlier this month, we celebrated the 10th anniversary of the creation of the Department of Homeland Security. It is worth reflecting on what was created 10 years ago, and the authority imparted to it. The Department of Homeland Security represented the largest reorganization of the U.S. government since the creation of the Department of Defense in the late 1940s, and we crafted the Homeland Security Act so the nation would have at its disposal a flexible, forward-leaning agency.
While the department has had its ups and downs over the past 10 years, for the most part, its employees and its leaders, all the way through to Secretary Janet A. Napolitano, have done a fine job of protecting our nation. What has pleased us most, however, is the legislation that passed has proven to be adaptable to meet any number of emerging threats. This is especially true as the current Congress and the Obama administration are working to combat the latest and perhaps most urgent threat -- cyberattacks.
The facts about cyberattacks are well-known: Tens of thousands of new pieces of malware emerge daily, with the public and private sector constantly being probed or outright attacked. It seems as though our nation can now be measured in two types of entities: those who have been hacked and those who don't realize they have been hacked. The consequences of these attacks can range from embarrassing, with the release of otherwise private or sensitive information, to economically ruinous, with the theft of intellectual property, and all the way to catastrophic, with the damage to or destruction of critical infrastructure.
It is no wonder, then, that the past two years have seen great debate in the White House and the Congress over how to better prepare ourselves to confront a cyberattack. Some have advocated increased government regulation, with various federal agencies setting a floor for minimum cybersecurity. Others have argued that while the federal government itself could be doing more, the best role it can take with the private sector would be to encourage it to responsibly share sensitive threat information with at-risk entities. Not surprisingly, the gulf between these two visions is wide. The result has been a legislative stalemate that, despite the personal appeals from Senate leaders and the president himself, is nowhere near resolution.
Without weighing in on this debate, it is vital to address one point repeatedly heard during the debate on cybersecurity legislation. Both Congress and the White House have consistently stated that there is little that can be done to promote good cybersecurity through liability protection without legislative action. Liability protection, of course, is critical because without it, companies may not be willing to offer advanced solutions or adopt them for fear of facing endless second-guessing through litigation after an attack has occurred. If you think this fear is overblown, just ask any defendant in the nearly endless post-Sept. 11 litigation, or from the 1993 World Trade Center attack, for that matter.
The comments on liability protection are both right and wrong. It is true that the creation of affirmative liability protection requires action by Congress, but people are incorrect when they assert that there is little that can be done now to offer liability protections for cybersecurity technologies and services. The fact is that when we passed the Homeland Security Act in 2002, we included just such liability protections, and they are ready for use right now.
Contained within the Homeland Security Act is a law known as the Safety Act. We included the Safety Act in the Homeland Security Act because we did not know where the next attack would come from or who would conduct it. Given that another attack of any scale could happen at any time, we decided that we needed to encourage the private sector to sell and use products and services to deter, defeat or mitigate future attacks. This is because as big as the Department of Homeland Security was going to be, it could not and should not be everywhere. The best way we could encourage the sale and use of security products and services would be to tie their use to meaningful liability protections. That is exactly what we did with the Safety Act, a law that says if you sell or use a useful and effective technology, we will guarantee you a range of liability protections that can be asserted when the inevitable post-attack litigation occurs.
In the 10 years since its passage, the Safety Act has been one of the most effective and beneficial programs administered by the Department of Homeland Security. More than 500 technologies and services have been granted these liability protections by the department, ranging from security-guard services to engineering standards. What many people don't realize, however, is that this program applies equally to cybersecurity products and services as well. Applying these safeguards to cybersecurity was a deliberate decision in 2002. Everyone knew full well that cyberattacks were a possibility, and the Safety Act was drafted specifically so that it would encompass cybersecurity technologies and so that the defenses could be asserted in court after a cyberattack. It even included the definition of an "act of terrorism" (the trigger for the liability protections) so that there was no need to identify who conducted the attack or their motivation. So long as the attack was intended to cause damage to U.S. persons, property or economic interests, the liability protections are available for use.
There is no question that the Safety Act applies in the "cyber" context. Homeland Security has already granted these protections to a few cybersecurity technologies, and the department has confirmed that such protections will apply to a cyberattack, regardless of the identity of the attacker. So what remains is for the private sector to realize that this powerful tool is at its disposal, and that companies should be taking advantage of it now. Using this program more broadly will pre-empt the need for duplicative risk-management programs, provide more stability to insurance markets and, most importantly, will encourage the greater use of effective cybersecurity technologies.
To borrow from an old saying, we are firm believers in examining the U.S. Code twice and legislating once. While more could certainly be done to enhance the Safety Act with respect to cybersecurity concerns (especially as related to providing protections when sharing cyberthreat information), with the Safety Act on the books, there is no need to race to legislate new liability protections. Instead, the country should be taking advantage of a program that already exists and -- most importantly -- is working.
Former Rep. J. Dennis Hastert, a senior adviser at Dickstein Shapiro LLP, served as speaker of the House from 1999 to 2007. Former Rep. Pete Hoekstra, a senior adviser at Dickstein Shapiro, was chairman of the House Permanent Select Committee on Intelligence. Brian Finch is a partner at Dickstein Shapiro.
TWT Video Picks
Taxpayers must pay the freight for over-budget train projects
Get Breaking Alerts
- Kim Jong-un calls for execution of 33 Christians
- Rand Paul wins 2014 CPAC straw poll, Ted Cruz finishes a distant second
- U.S. pilot scares off Iranians with 'Top Gun'-worthy stunt: 'You really ought to go home'
- SAUERBREY: Taxing Marylanders until they flee
- Bill Clinton cashes in on struggling nonprofit hospital
- 'Blarney Blowout' near UMass results in 73 arrests; 4 officers injured
- Russias Putin nominated for Nobel Peace Prize
- 80 people publicly executed across North Korea for films, Bibles
- Vietnam says it may have found door of missing Malaysian jet as intel look into stolen passports
- Bill Clinton poses for photo with Bunny Ranch prostitutes
Recent Letters to the Editor
- LETTER TO THE EDITOR: Time for feckless president to show resolve
- LETTER TO THE EDITOR: Obama reserves 'Chicago way' for GOP
- LETTER TO THE EDITOR: Public education would wither in free market
- LETTER TO THE EDITOR: Turkey not committed to Cyprus peace
- LETTER TO THE EDITOR: Spoiled-kid culture creates greedy adults