Cybersecurity bill could be stalled by House-Senate differences

The House Republican tapped to drive passage of cyber legislation across committees said he does not plan to work on a comprehensive bill, a departure from Senate efforts to pass one large package covering federal, private and international networks.

"I just don't think we're going to solve all of cyber in a single bill," Rep. Mac Thornberry, R-Texas, told Nextgov. "And when we try to solve anything in a single bill, it's usually a mess, i.e., health care." He spoke ahead of a Friday Armed Services hearing on the role of the military in protecting cyberspace.

Thornberry said he has an agreement with House Speaker John Boehner, R-Ohio, to push individual committees to act this year. "I told him I don't want to do another study," said Thornberry, whom Boehner appointed to the new post on Dec. 15, 2010.

But if House leaders prefer piecemeal legislation and Senate leaders continue to press for one big measure, then their differences could delay action this year.

Thornberry, who also serves as the Armed Services vice chairman, is using his session on Friday to examine the responsibilities of the Defense Department in protecting commercial targets, government assets and private individuals.

Controversy has long stirred over where to centralize cyber operations inside the federal government. Defense, with its sophisticated technology and vast cyber staff, and the Homeland Security Department, charged with primary responsibility for cybersecurity, are beginning to cooperate more by co-locating critical tools and personnel at the National Security Agency. But civil rights groups and some lawmakers question whether Defense should be allowed to meddle with civilian networks.

"I think it's important to kind of air that out, and then you can have different views on what should DoD be protecting," Thornberry said. "Do they have the technical capability, and do they have the legal authority?"

He said it might be necessary to move separate pieces of legislation next year. "There's no shortage of cyber issues," Thornberry said, recognizing the importance of defending against cyberwar, safeguarding privacy online and growing a federal workforce that intelligence experts say currently does not have enough information security experts to operate in cyberspace.

National security officials on Thursday told the House Intelligence Committee, of which Thornberry is a member, that the impact of potential cyberattacks is hard to overstate. "They were pretty strong on how serious this is as a question of national security," he said.

National Intelligence Director James R. Clapper testified that "In the last year, we have witnessed the emergence of foreign military capabilities in cyberspace. This formalization of military cyber capabilities creates another tool that foreign leaders may use to undermine critical infrastructures that were previously assumed secure before or during conflict."

Last year the threat of a cyberwar became a reality when a new worm called Stuxnet reportedly hobbled systems controlling Iran's nuclear operations. What distinguishes this virus from the common bug is that it attacks industrial control systems powering critical infrastructure, such as electric grids, with the possible intention of programming machines to self-destruct, cyber experts say.

"The [intelligence community] is reaching out to the private sector to ensure current understanding of the dynamic cyber environment," Clapper said. "More government-private sector and international cooperation is still required across the cybersecurity landscape."

Thornberry said he does not yet have specific proposals in mind for changing laws or passing new ones. His priority, however, is guarding the nation against major threats.

"The first job of the federal government is to defend the country," Thornberry said. "If you have issues," which endanger the nation, "that should be your priority."

But Senate Democrats are approaching cyber policy differently. Late last month, the chamber's leaders signaled they were eager to move legislation that would address many information security issues all at once.

Majority Leader Harry Reid, D-Nev., and the several committee chairmen who share jurisdiction over cybersecurity, introduced a nonbinding bill, S. 21, that acknowledges the necessity of enacting a law to address 10 aspects of cybersecurity. Those areas include the need to secure government networks; offer private sector incentives to protect commercial networks; encourage IT spending that will create jobs; improve the government's ability to respond to attacks against agencies and the military; guard against identity theft and privacy breaches; promote the free flow of information, safeguard security and fight cyber crimes through international cooperation; and empower federal officers to investigate cyber crimes in a way that respects privacy and encourages innovation.