Over the past several years, members of Congress have made significant progress in identifying the challenges of the cyber threat and coordinating with industry to develop a response, according to John Rockefeller (D-W.V.), the chairman of the Senate commerce committee.
At the same time, Rockefeller did not mask his frustration that the comprehensive cybersecurity bills that he and others have drafted have stalled, prompting the White House to issue an executive order in February calling for, among other things, an improved system for sharing information about threats and attacks.
“We’ve also wasted an awful lot of time by turning an urgent national security issue into a partisan political fight,” Rockefeller says. “The Obama administration got tired of waiting for us. I can’t blame them.”
While House Wants Comprehensive Cybersecurity Bill
At Thursday’s hearing, Homeland Security Secretary Janet Napolitano offered a blunt assessment of the threats facing government agencies and the operators of critical infrastructure in the private sector.
“This is critical, time-sensitive work, because we confront a dangerous combination of known and unknown cyber vulnerabilities, and adversaries with strong and rapidly expanding capabilities,” Napolitano says. “Threats range from denial-of-service attacks to theft of valuable intellectual property to intrusions against government networks and systems that control our nation’s critical infrastructure. These attacks come from every part of the globe. They come every minute of every day. They are continually increasing in seriousness and sophistication.”
Obama’s executive order directed DHS to develop a voluntary, incentive-based program for private-sector firms to partner with the agency in a bid to improve their cybersecurity posture.
That directive also tasked the Commerce Department’s National Institute of Standards and Technology with developing a so-called “cybersecurity framework” to reduce vulnerabilities to critical infrastructure through a year-long, standards-driven process that Patrick Gallagher, the agency’s director, said is already underway, with a series of public workshops planned.
In her testimony, Napolitano urged lawmakers to go further and build on the White House executive order with a comprehensive cybersecurity bill that would address a laundry list of shortfalls in current policy.
“Specifically, Congress should enact legislation to incorporate privacy and civil liberties safeguards into all aspects of cybersecurity, further increase information sharing and establish and promote the adoption of standards for critical infrastructure, give law enforcement additional tools to fight crime in the digital age, create a national data-breach reporting requirement and, finally, give DHS hiring authority equivalent to that of the NSA,” she says.
“We also know that threats to cyberspace and the need to address them do not diminish because of budget cuts. Even in the current fiscal climate, we do not have the luxury of making significant reductions to our capabilities without having significant impacts,” she adds.
Help Wanted: Cybersecurity Experts
DHS, already facing a shortage of cybersecurity experts, has had to slow its hiring activities, and some cybersecurity-response exercises the agency had planned to conduct in concert with foreign partners have been canceled amid the across-the-board spending cuts that recently took effect, according to Napolitano.
Oklahoma Sen. Tom Coburn, the ranking Republican on the Homeland Security and Government Affairs Committee, called Obama’s executive order “timely and appropriate,” but echoed the view of other senators at Thursday’s hearing that it still leaves room for Congress to act to address the cybersecurity challenge.
In a general sense, the call for policies to improve the agility of businesses and government to share information about cyber threats and attacks is probably one of the less controversial aspects of cybersecurity reform, though civil-liberties and privacy advocates have warned against the funneling of personal information that businesses maintain about their users to the government. Those concerns have especially dogged a House cybersecurity bill that focuses narrowly on information-sharing.
But according to Coburn, a significant obstacle to advancing information-sharing proposals remains from the business perspective, as well.
“I’ll speak to the issue that nobody wants [to] directly speak to, is the reason a bill didn’t go through the Senate is because there’s a disagreement on the liability protections for business and industry when they share their information to protect them against frivolous lawsuits,” he says.
Coburn explains that in a series of classified cybersecurity hearings members of the homeland security committee have convened, Obama administration officials have agreed that liability protections are a major obstacle for the information-sharing component of cybersecurity legislation.
“There hadn’t been one person who’s testified — all administrative witnesses, all administration — who don’t agree that those protections are going to have to be there for us to accomplish what we need to do for our country,” he says.
Even if lawmakers can strike a balance on the information-sharing dimension of the cybersecurity question, a narrow bill focused only on that issue would be “wholly insufficient” to meet the threats, according to Rockefeller. Moving ahead in a piecemeal approach, he argues, would ignore the political reality that there is a limited window for enacting reform in a complex arena such as cybersecurity, which, he points out, lawmakers have been working on for years.
“I don’t think that’s a wise, useful or constructive approach to the kind of bill that we can’t really come back to every year,” says Rockefeller, who has announced that he will retire from the Senate rather than seek reelection in 2014.
Napolitano reaffirmed the Obama administration’s commitment to a comprehensive bill that would include, but hardly be limited to, information-sharing provisions.
“Information sharing is very, very important,” she says. “Real-time information sharing is critical, but it is not the only concern that we have in this arena.”