Cybersecurity panel places hill oversight on back burner

An independent commission set up to make recommendations on improving national cybersecurity efforts will shy away from proposing any changes to congressional oversight, even though some experts believe an overhaul is needed.

Comment on this article in The Forum.The Commission on Cyber Security for the 44th Presidency, established by the Center for Strategic and International Studies, plans to issue a final report in mid-November to help guide the new president's cybersecurity efforts. But the commission decided it would be too difficult to recommend changes in congressional oversight of cybersecurity programs, said James Lewis, director of the technology and public policy program at CSIS.

"We wanted to do things that could be achieved, that had a chance to get done in the first year," Lewis said in an interview. "And we decided congressional reform was not in that category." He said panel members discussed some options with congressional aides and considered a proposal to create a joint Senate and House cybersecurity committee, but ultimately decided against it. Lewis added that the commission's main purpose is making recommendations that the executive branch can implement.

Several cybersecurity experts said an overhaul of congressional oversight is needed and the time is ripe with a new Congress beginning work in January. They said some committees and individual lawmakers are doing good work. But overall, the congressional oversight structure is fragmented and sometimes leads to competing and confusing directives from different committees, they said.

"You've got a multitude of committees who all technically have oversight over the departments they watch," said Steven Bucci, former deputy assistant secretary of Defense for homeland defense. He described the fragmented oversight structure as a hindrance. But he added that cybersecurity efforts are also fragmented inside the executive branch. "It's very, very difficult to ever cut the pie very cleanly, not just for cyber but for any other issue that you can come up with," said Bucci, who now leads cybersecurity efforts at IBM.

"It may be well-served to take a look at how to align [congressional oversight] in a way that is more coherent and unified," said Liesyl Franz, vice president for information security programs at the Information Technology Association of America. She said congressional leaders should ensure that oversight activities are coordinated and that directives do not conflict. Congressional committees, for example, have taken different approaches on legislation dealing with notification requirements after computer security breaches. She said ITAA would like to see a national approach with regard to such legislation.

"The way we see legislation coming out is clearly along jurisdictional lines," said Franz, who previously worked on cybersecurity at the Homeland Security Department.