recommended reading

Any cybersecurity bill is better than no bill, senate panel told


A panel of security experts urged Congress on Wednesday to do something—anything—to combat cyberthreats to the United States.
The panel of witnesses before the Senate Homeland Security and Governmental Affairs Committee had specific recommendations, but with a nearly unified voice they all agreed that moving ahead with any current legislative proposals is better than doing nothing.
“If we don’t act now, I can assure you that whatever comes after something bad happens will be much more draconian and not as constructive as it could be,” Frank Cilluffo, director of George Washington University's Homeland Security Policy Institute, told the committee.
Senate Majority Leader Harry Reid, D-Nev., has said he wants to move forward with floor debate on the Cybersecurity Act of 2012 by the end of July.
The bill is championed by leaders of the Senate Intelligence, Commerce, and Homeland Security committees, including Homeland Security panel Chairman Joe Lieberman, ID-Conn. But the bill has been delayed for months because some Republicans don’t want the Homeland Security Department to have the authority to help set security standards for some private networks.
But former National Security Agency and Central Intelligence Agency Director Michael Hayden said all the proposals on the table, including standards, information sharing between businesses and government, and a potential increased role for U.S. intelligence agencies, should be enacted.
Any potential problems can be ironed out later, he said. “I’d do them all. And I would keep an open mind a adjust fire in a year or two.”
Earlier this week, the head of the U.S. Cyber Command, Gen. Keith Alexander, urged lawmakers in a speech to enact a bill before a catastrophic attack leads to an overreaction.
RAND Corp. terrorism analyst Brian Michael Jenkins said any bill won’t be 100 percent right. But, he said, “It’s important to get these things moving rather than finding the absolute perfect legislation."
That did not sit well with Senate Armed Services Committee ranking member John McCain, R-Ariz., who is a chief critic of Lieberman’s Cybersecurity Act and who has introduced competing cybersecurity legislation of his own.
Invoking the Hippocratic oath, McCain rebuked the witnesses for not acknowledging the potential harms he sees in giving government officials the authority to set security standards. “The first principle is do no harm,” McCain said. “The thing we don’t want to do is do something wrong.”
McCain and other Republican committee leaders are pushing their own bill, which mirrors many of the Cybersecurity Act’s proposals such as encouraging businesses and government to share cyberthreat information with each other, but leaves out any new authority to set standards.
Several compromise proposals are in the works that would soften some of the standards proposals.
But many of the proposals are still eliciting pushback from businesses, which don’t want new regulations, and civil liberties advocates, who fear information sharing could undermine privacy.
The latest United Technologies/National Journal Congressional Connection Poll found that despite expressing concern over cyberthreats, a majority of Americans don’t favor information sharing because of privacy concerns, and are opposed to government-set standards.
Homeland Security Committee ranking member Susan Collins, R-Maine, has held on as the lone GOP cosponsor of the Cybersecurity Act. She said the protection of critical networks such as those connected to electric grids and water-treatment plants can’t be left up to voluntary measures.
Waiting to act, Collins said, is risking a catastrophic cyberattack.
“I can think of no other area where the threat is greater and we’ve done less to counter it,” she said.

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.