recommended reading

Administration excoriated for delay in proposing cyber plan

A Senate Democrat blasted the Obama administration for holding up passage of cybersecurity legislation that has been subjected to a more than yearlong interagency review process. At a congressional hearing on Wednesday, Sen. Sheldon Whitehouse, D-R.I., secured a commitment from the Homeland Security Department secretary, under oath, to provide him with a near-term deadline for finishing negotiations.

"We need input from the executive branch to sort out the differences between the different committees," he said at the Senate Judiciary Committee session. "There's no point in sorting it out if we don't know where the executive branch is going to stand. . . . We're kind of on hold now, waiting."

The chairman of the multiple Senate committees with jurisdiction over computer security have signaled they want to pass a comprehensive bill that would address 10 elements of cyberspace, among them the security of government networks; private sector incentives to protect commercial networks; safeguards against online identity theft; and law enforcement authorities to investigate cyber crimes.

Last year, the Senate Commerce and Homeland Security and Governmental Affairs committees proposed two differing measures. The HSGAC panel reintroduced its bill last month. At the same time, Judiciary Chairman Patrick Leahy, D-Vt., has indicated he wants to update digital privacy laws.

"In the legislative branch we are now probably a year into a stall in preparing the legislation that I think we urgently need in order to protect our country from a cyberattack," Whitehouse said.

DHS Secretary Janet Napolitano at first declined to say when the administration would finalize its legislative offer.

"You're the secretary of Homeland Security -- that's the central agency for cybersecurity other than the [National Security Agency], which provides the technical horses to everybody," Whitehouse responded. "You've gotta have a sense of how close this is."

After repeated grilling, Napolitano said: "I think it is fairly close, but I hesitate to give you a deadline because I don't know that there is one. . . . I understand and take your frustration to heart and will take it to the White House, and we will try to generate an answer for you."

Without cyber mandates, the administration has used its existing regulatory powers to create agency roles and responsibilities for protecting the nation's digital infrastructure. For instance, in October 2010, Homeland Security and NSA, which is part of the Defense Department, reached a compromise under which they have collocated equipment and staff at NSA to bolster civilian and military networks. And the Commerce Department in January opened an office to coordinate with the private sector on creating an online identification system that will let consumers, companies and software execute secure, online transactions.

Whitehouse, a former Intelligence Committee member, and Napolitano agreed administrative policies do not go far enough. For instance, Whitehouse noted, legislation would be needed to require secure domains, or Web addresses, for critical infrastructure -- systems that could cause catastrophes if disrupted. "I don't think that shuffling things around within the existing authorities is adequate," Whitehouse said.

For her part, Napolitano said she would like to see cemented into law distinct roles and responsibilities for each agency associated with cyber. "Clarity in terms of authorities and jurisdiction in this new and developing area always facilitates operations," she said. "lf we can work with the Senate and get to a bill that clarifies authorities and jurisdictions, I think that that would be very helpful."

Across the Capitol, House Republican leaders have made it clear they do not want a major package enacted. Rather, Rep. Mac Thornberry, R-Texas, who is coordinating cyber legislation in the House, is pushing committees to approve piecemeal measures. Thornberry, who also serves as the Armed Services vice chairman, said his priority is defending the country against major threats, such as foreign military capabilities in cyberspace.

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.