Establishing Digital Trust: Don't Sacrifice Security for Convenience
Senator Joe Lieberman's not wasting any time.
Lieberman (I-Conn.), who chairs the Senate Committee on Homeland Security and Governmental Affairs, said at a hearing Tuesday that he intends to bring legislation paving the way for a major overhaul of federal cybersecurity policy to a markup session next week.
The bill, cosponsored by Susan Collins (R-Maine) and Tom Carper (D-Del.), was only introduced last Thursday.
"We took a long time in getting to this point, but now we've got our foot on the gas, because this is really urgent," Lieberman said.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The Protecting Cyberspace as a National Asset Act would establish a framework for government coordination with the private sector and set baseline security requirements for critical infrastructure, such as telecommunications networks, power grids and financial systems, and clarify and consolidate federal oversight of the integrity of those systems.
The legislation would install cybersecurity offices both in the White House and the Department of Homeland Security, expanding the role for each of those entities in shoring up civilian systems. Both offices would be headed by a Senate-confirmed director who would serve as an advisor to the president on cybersecurity issues.
The legislation would also extend to the president the authority to issue a temporary directive to shut down vulnerable infrastructure in the event of a severe attack, though the bill's authors insist -- in apparent anticipation of protests against a government takeover of the Internet -- that those provisions would confined to the most extreme situations and would require the president to notify Congress before invoking the emergency powers. Any emergency measures would automatically expire within 30 days.
"We have carefully circumscribed that authority. It is limited in duration and scope," Collins said, arguing that the provisions are necessary because the president's emergency powers in the face of 21st century information attacks are unclear under current law.
"It's so evident that cyberattacks are happening every day and are only going to get worse, it just cries out for us to establish the rules now," she said. "For far too long our approach to cybersecurity has been disjointed and uncoordinated. This simply cannot continue. The stakes are too high."
Current situation unsatisfactory
A recent cyberwar games exercise staged in Washington, D.C. involving many former high-ranking government officials highlighted the legal ambiguity of the president's authority in the event of a major assault on the country's digital infrastructure, particularly when the origin of the attack is unknown.
The bill would also tighten the Department of Homeland Security's oversight authority, requiring private-sector operators of critical infrastructure to report major breaches to the new cybersecurity agency. It would also establish liability shields for companies in compliance with the federal cybersecurity standards that suffered a breach.
Philip Reitinger, a DHS deputy undersecretary who heads the National Protection and Programs Directorate, was on hand to testify today, though he chose his words carefully, explaining that the administration has not taken an official position on the legislation.
He did, however, express support for many of its provisions, including the consolidation of authority over civilian networks within DHS and provisions that would attempt to train and recruit into government more cybersecurity experts.
The department has undertaken its own efforts to beef up its ranks, announcing plans last October to bring in 1,000 cyber experts over the next three years. Reitinger today said that DHS had increased its cybersecurity staff from 35 to 118 in the last fiscal year, and that it is aiming for a twofold increase this fiscal year.
Reitinger acknowledged that the government is at an inherent disadvantage in competing with the private sector for cybersecurity talent, but he said efforts to reduce the hiring lag time and increase compensation -- which are described vaguely in the bill -- would help the government's cause.
"We're very clear: if you come to work for the government -- indeed, any part of the government -- you're going to make a sacrifice if you're in cybersecurity, because you're not going to make what you could in the private sector," Reitinger said. "But if we can bring them on more rapidly, pay them something comparable to what they would get in the private sector, they will do that to help protect our country."
Plenty still to do
Lieberman encouraged Reitinger to respond with an administration position on the legislation in short order, given his goal of marking up the bill next week.
Should the bill graduate from committee, it could face a substantial revision once it gets to the floor, as several other cybersecurity bills are also in various stages of the process in the Senate. One similar comprehensive overhaul with many overlapping provisions cleared the commerce committee in March.
Other, more limited measures from the armed services and judiciary committees are also in play. Reconciling the bills is likely to cause some friction over the appropriate balance of authority in the cybersecurity arena between DHS and the defense and intelligence agencies.
Senate Majority Leader Harry Reid has signaled that he would like to schedule floor time for debate and pass a cybersecurity bill this year.