Modernizing Authentication — What It Takes to Transform Secure Access
WASHINGTON -- The senators backing sweeping and controversial legislation to overhaul U.S. cybersecurity policy pressed their cause Tuesday, signaling in a hearing that they have no intention of backing down from a dramatic expansion of executive authority to respond to an attack on the nation's digital infrastructure.
"This hearing is a next step in examining the important action we should be taking, right now -- as a government and as a national economy -- to harden our defenses and safeguard critical infrastructure against a major cyber attack," said Commerce Committee Chairman John Rockefeller (D-WV).
Rockefeller, along with Olympia Snowe (R-ME), jointly introduced the Cybersecurity Act of 2009 last April, legislation that drew immediate protests from groups that warned against provisions in the bill that could supersede privacy laws in the event of a cyber attack and give the president authority to take temporary control over private networks.
But Rockefeller and Snowe Tuesday indicated that they remain committed to the executive authority provisions in the bill, which they hope to push through the senate this year.
"We've got to give the president the right to intervene," Rockefeller said. "That's controversial. That'll always be controversial."
The senators said that they and their staffers had held more than a hundred meetings with members of the private sector and other stakeholders and that the bill has been substantially revised at least four times.
Cyber security warnings
At Tuesday's hearing, the witnesses offered dire warnings about the vulnerabilities of U.S. digital networks, which are largely owned and operated by firms in the private sector.
"If the nation went to war today in a cyber war, we would lose," said retired Adm. Michael McConnell, the former director of the National Security Agency who currently serves as executive vice president of Booz Allen Hamilton's National Security Business. "We're the most vulnerable. We're the most connected. We've got the most to lose."
McConnell praised the Rockefeller-Snowe bill as a good first step, but in his dark view, policymakers won't be spurred to take the dramatic action he sees necessary until the nation is hit with a crippling attack.
"We will not mitigate this risk," he said. "As a consequence of not mitigating this risk, we're going to have a catastrophic event."
Cyber attack response
The expanded government role in cybersecurity is at the heart of the Rockefeller-Snowe bill, which would elevate the cyber coordinator position President Obama created last year to Cabinet-level status, reporting directly to the president and requiring confirmation by the senate.
Snowe also suggested that the government could take steps toward establishing more rigid standards, such as shielding companies that adhered to baseline security standards from liability in the event of an attack.
She also called for government agencies to make security a higher priority when making procurement decisions, using the considerable federal purchasing power to move the market toward more secure systems.
But the bill comes out of a concern that the stakes are too high to allow market forces to set the standard for cybersecurity.
"Since this is a network and everything is interconnected, if 10 percent don't do the right thing then 100 percent would be vulnerable," said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, the group that delivered a cybersecurity report to then-President-elect Obama in December 2008. The Rockefeller-Snowe bill draws extensively from the CSIS report.
Not surprisingly, the prospect of increased government role in private networks has stoked considerable opposition to the proposed legislation.
"Companies tended to resist the idea of the government sort of getting in the way of what they were already doing, which they felt to be adequate," Rockefeller said of his meetings with industry representatives.
Some of that opposition was on display today, with Mary Ann Davidson, Oracle's chief security officer, telling the panel that the real shortfall is in the university system, where security is given short shrift in computer science programs.
"We have to train all computer science graduates in how to write secure code because they weren't taught this in universities," Davidson said.
She suggested that the government slow the push to move critical systems like the electrical grid to IP-enabled networks before implementing standards to secure the millions of devices that would be operating as clients.
In the area of standards, she suggested that a government agency, such as the National Institute of Standards and Technology could take the lead. Similarly, she urged the senators to focus their attention on the transparency of software development, noting that organizations commonly purchase and deploy software today with little -- if any -- insight into the development process, including the ability to withstand an attack.
In addition to setting standards, she suggested that the government's role would properly be limited to using its purchasing power to nudge the market toward higher security and transparency standards.