White House agrees to let Congress codify some cybersecurity policies

Obama administration officials say they will let Congress make permanent in statute some cybersecurity policies the White House initially had wanted the executive branch to authorize, to more quickly implement the law.

The White House in May distributed to lawmakers 52 pages of text for consideration as part of a wide-ranging network protection bill that would empower agencies to promulgate various rules -- a process that often involves cost-benefit analyses, White House reviews and public comment periods.

For instance, Homeland Security Department officials this week said they expect that under their proposal, Internet service providers eventually will be deemed "critical infrastructure" operators subject to greater government oversight -- pending a rule-making. Critical infrastructure systems are regarded as so vital to American life and property that network disruption would be cataclysmic.

"At the end of the day, I do think that the ISPs -- being critical to connectivity for a wide range of entities and therefore likely to cause cascading effects if there is an outage within their infrastructure -- would likely fall within critical, but there would be a [rule-making] process in order to get to that," Greg Schaffer, DHS acting deputy undersecretary for the National Protection and Programs Directorate, said at a Senate Judiciary subcommittee hearing Tuesday afternoon.

Sen. Sheldon Whitehouse, D-R.I., chairman of the Crime and Terrorism subcommittee, said this delay is one of many in the administration's agenda that bother him.

"We don't even get around to defining who the participants are in the protection of our critical infrastructure for some considerable time and some considerable effort in administrative rulemaking," he said. "I'm worried about the extent of the threat that we're facing right now, and the time that it will take to work though some of the administrative procedures that are built into the administration's proposal."

Other White House proposals that would use the regulatory process include descriptions of notifications that businesses must issue to regulators, customers and the media in the event of data breaches.

In addition, DHS, through a rule-making, would create a methodology for companies to use to identify and mitigate security risks to critical infrastructure. The department also would go through the regulatory motions to establish a means of evaluating those improvement plans.

James A. Baker, associate deputy attorney general, said of the proposed regulatory work, "Wherever we can move them into statute, that would be fine as long as we maintain the flexibility that we need to deal with the evolving threat."

Throughout history, administrations and lawmakers have disagreed with how to put laws into action, as they check each other's powers. The implementation of the health care overhaul is an example of this battle.

But even with backing from the executive branch, Whitehouse recalled spending about three years working with the Drug Enforcement Administration to lift a ban on prescribing pharmaceuticals electronically.

"I had the support of the department of Health and Human Services and ultimately of the attorney general . . . so when that's the pace of something that the government agrees with, it makes me concerned about the prospect of delay" in protecting the country's networks, he said.