Administration to Congress: Cyber order is not enough

A renewed debate about the right form for cybersecurity legislation is heating up, and many of last year's contentious issues remain unresolved.

President Barack Obama's executive order on cybersecurity, issued last month, has been described as a "down payment" on government regulation to secure U.S. critical infrastructure and networks. What happens next, though, could prove to be a battle between Congress, key federal agencies and the private sector.

At a March 7 Senate hearing, officials including Homeland Security Secretary Janet Napolitano and Patrick Gallagher, director of the National Institute of Standards and Technology, testified before lawmakers that much remains to be done in cybersecurity. They also indicated the road ahead may not be a smooth one. The committees on Homeland Security and Governmental Affairs, and Commerce, Science and Transportation, jointly hosted the hearing.

Familiar issues – such as debates over regulation versus incentivization, which sank proposed laws last year – now are resurfacing as Congress once again takes up cyber legislation. This time around, they are compounded by fiscal pressures, primarily the spending cuts under sequestration.

Napolitano said those cuts have clear impact at DHS, where officials now are delaying the release of a next-generation intrusion detection system for government networks, canceling cybersecurity training activities and reducing the number of vacancies filled on the agency's Computer Emergency Readiness Team.

Yet on Capitol Hill, divisions over legislation already are reappearing. House Republicans have revived the controversial Cyber Intelligence Sharing and Protection Act, but in the hearing, Napolitano said that legislation does not go far enough.

"Even in the information-sharing area, I think there were some deficiencies in" the House bill, she said. "It had no privacy protections built around it, which is very important, particularly in the civilian realm. And it resided almost all the cybersecurity information monitoring responsibilities within the [National Security Agency], which is part of the military."

The divisions between which departments handle which networks – the Defense Department oversees the .mil domain, while DHS handles .gov – are a point of contention, she stated.

"We're talking about a completely different environment here, the domestic environment with core critical infrastructure," Napolitano said. She also noted that effective legislation must put into statute the roles and responsibilities laid out in the EO, insert basic standards-setting for core critical infrastructure, and increase research and development. The law would also need to enable a move from paper-based processes to continuous real-time network diagnostics as the Federal Information Security Management Act requires, she said.

Gallagher indicated that, whether under provisions from the EO or possible legislation, there remains a fine line in the relationship between government and industry.

"The tricky issue here is that there is a public accountability for the performance of critical infrastructure. If it fails, it causes impact to the nation," he said. "But these types of standards and requirements also have business impact. They touch how businesses perform and their business practices, and they affect the markets. I think generally there is a reticence to have the government somehow have an undue impact on their business convention."

Still, Gallagher is hopeful that the broad inclusion of industry in both the development of the EO and the forthcoming cybersecurity framework and standards will encourage a better, more collaborative partnership.

"This will work best of all when good cybersecurity is good business. When that alignment occurs, that's where the magic happens and this works very powerfully," he said.

According to Napolitano, the road to the EO – and ideally to effective legislation – has been paved with a sense of inclusiveness led by the Obama administration. Despite her blunt assessments of the challenges ahead, her hope is that it can continue in order to pass laws that successfully protect shared security interests.

"One of the things that happened was a process led by the White House to engage industry in the construction if the EO itself, so it didn't spring like Athena from the head of Zeus," she said. "It was really a collaborative process to begin with."