The Cybersecurity Race: Executive Branch Takes The Lead While Congress Watches From The Bleachers

The federal government sector has been abuzz lately with whispers and shouts about pending cybersecurity regulations, frameworks, and requirements. This attention is not particularly surprising, especially given the recent high-profile data breaches, the litigation threats surrounding those breaches, the recent identification of the encryption-disabling, consumer data threatening "Heartbleed SSL" OpenSSL vulnerability, and recent reports that the September 2013 cyber-incursion into the U.S. Navy's Intranet network could have been prevented with the proper security contracting mechanism. Notably, however, while these stories - and the resultant damages that these stories' topics leave in their wake - remain in the headlines, Congress has yet to act (and according to Senator Evan Bayh (D-IN), will likely not be acting anytime soon). By contrast, the Executive branch, and especially the FTC, is in a full-on sprint and tackling cybersecurity wherever it can be found.

Speaking in New York at the American Bar Association Section of International Law 2014 Spring Meeting, Senator Bayh indicated his belief that comprehensive cybersecurity legislation will not be coming out of the 113th Congress. Hovering between prophecy and promise, Senator Bayh stated that only upon a detrimental cyber-attack "that significantly harms the country," would he suspect effective cyber-legislation to be passed. For a myriad of reasons let us hope that doesn't happen because, aside from the harm an attack will cause, Senator Bayh also warned that legislation in the wake of an attack would likely result in "mandatory standards that will make what's been proposed, at least right now, pale in comparison. Because we always way overreact once we've been attacked, and both sides need to get that in their minds, because that's what is coming,"

Meanwhile, while Congress waits and opines, industry should be aware that the Executive branch is on the offensive. Here is a summary of some of the most current events:

On January 23, 2014, the General Services Administration ("GSA") and the U.S. Department of Defense ("DOD") published the Final Report of the Joint Working Group on Improving Cybersecurity and Resilience through Acquisition. The report proposed six overarching changes be made to the U.S. acquisition strategies to imbue cybersecurity concerns into all stages of federal purchasing. While still only recommendations, federal contractors should take note that many of these...