Cybersecurity overhaul stands a good shot at passage

Congress' decision to include key cybersecurity provisions in the House and Senate Defense authorization bills increases their odds for passage, said one security expert, although amalgamating numerous pieces of cyber legislation could make establishing a final consensus a challenge.

The House and Senate versions of the authorization bills include provisions that would bring significant change to existing cybersecurity policy, including mandates for agencies to monitor networks to assess cyber threats and incorporate security requirements into contracts from the start.

"It makes it much harder for the White House to reject the measures if they are part of such an important piece of legislation," said Alan Balutis, director of the business solutions group at Cisco Systems and former chief information officer at the Commerce Department.

The House version of the bill passed on Friday and would establish a National Office of Cyberspace in the White House to coordinate responsibilities and to make recommendations to the Office of Management and Budget about cybersecurity spending.

The provisions in the House bill are based on H.R. 4900, sponsored by Rep. Diane Watson, D-Calif., and H.R. 5247, sponsored by Rep. Jim Langevin, D-R.I. Those separate bills will continue to move forward in the House.

Sen. Carl Levin, D-Mich., chairman of the Senate Armed Services Committee, announced on May 28 that the committee completed markup of its Defense bill, which included cybersecurity provisions that mirror those championed by Sens. Joe Lieberman, I-Conn., and Sen. Thomas Carper, D-Del., in separate measures. The bill will be released later this week, according to committee staffers.

"There are a number of moving parts," said a staffer from the House Oversight and Government Reform Committee. Although many of the cybersecurity provisions in the Senate bills mirror those in the House versions, he said, it remains to be seen whether the Senate, or the administration, will support a separate cybersecurity office in the White House.

Balutis doesn't expect that provision to stand in the way of passage, however. "Some of the senior security and cybersecurity positions clearly need more teeth -- more clout, more authority, a stick to go along with the carrot," he said. "And there is a rather established precedent in administrations to conduct budget cross cuts when specific activities or initiatives need to be coordinated across government. The budget process gives substantive authorities to the subject matter expert at the lead during these cross cuts."

Other security experts were concerned with specific provisions in the bill. "Congress needs to be careful about issuing technical mandates that project itself as the statutory [chief information security officer] to the rest of government," said a former Homeland Security official who asked to not be named. The mandate that agencies use continuous monitoring, though a good security standard, might cross that line, he said. "Congress should set the bar high, tell agencies to vault over the bar, but don't try to specify their techniques."