Congress Should Take Risk-Based, not Geography-Based, Approach to Cybersecurity
Yesterday, the House and Senate Appropriations Committees unveiled an omnibus appropriations bill for Fiscal Year (FY) 2014. Their late nights of negotiations have resulted in a bill that will keep the government operating for the rest of the fiscal year, providing businesses and U.S. citizens with fiscal certainty that essential services and policies will continue apace and without interruption through October 1st of this year.
For the past year, the tech sector and business community have been concerned about requirements included in two prior temporary funding bills that had the unintended result of putting the U.S. tech sector at a disadvantage both domestically and abroad. This legal requirement imposed risk assessment restrictions on certain agencies’ IT procurements involving goods and services connected to China. Checking the “good product security” box based singularly on geographic location is simply an exercise without a positive security result. In fact, product security is a function of how, not where, a product is made--and the most effective way to address cybersecurity is holistic and risk-based.
Given these concerns, the House and Senate appropriators are taking important steps to reevaluate the current geographic-driven approach. Consequently, Section 515 in the just-released FY 2014 omnibus spending bill represents an improvement over current law by opting for a more risk-based approach to cybersecurity that focuses on some, not all, agency IT procurements—namely on “high-impact” and “medium-impact” IT systems. This risk-based approach helps to focus federal government resources on systems critical to agencies as they carry out their missions. The risk-based approach based on cyber threats also makes singling out specific countries unnecessary.
Unfortunately, the specific reference to China remains in Section 515, and ITI continues to remain concerned about congressional proposals that take a geographic approach to cybersecurity. We will monitor how Section 515 is enforced, and continue to advocate for risk-based, rather than geography-based, approaches to cybersecurity.