Praise for Obama’s Cybersecurity Order as Senate Renews Debate
A handful of the Senate’s top cybersecurity hawks commended President Barack Obama for issuing a cybersecurity executive order to improve the security of the nation’s most critical infrastructure, at a joint hearing Thursday by the Senate Commerce and Homeland Security and Governmental Affairs committees. Despite previous warnings that an order would actually hurt U.S. companies’ ability to protect themselves from cyberattacks, even some Senate Republicans offered veiled praise for the order. Agency leaders at the Department of Homeland Security and the National Institute of Standards and Technology (NIST), which are tasked by the executive order to help U.S. owners of critical infrastructure, told lawmakers that they're working hard to comply with the order but said they are concerned the sequester may negatively affect their agencies’ ability to protect the nation from attacks.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Senate Commerce Chairman Jay Rockefeller, D-W.Va., said the order was released because “the Obama administration got tired of waiting for us. I can’t blame them. This is a problem that is growing worse every day.” The presidential order, issued last month, aims to strengthen U.S. cyberdefenses, increase information sharing between the public and private sectors and develop baseline cybersecurity standards (CD Feb 14 p3). This Congress will be Rockefeller’s last opportunity to pass a comprehensive cybersecurity bill before he retires from the Senate.
Homeland Security and Governmental Affairs Chairman Tom Carper, D-Del., also commended the president for issuing an executive order but said the authorities it provides are “simply not enough to get the job done.” “We know that more needs to be done on information sharing so that companies can more freely share best practices and threat information with each other and with the federal government,” he said. Carper, who became chairman of the committee after the retirement of former Sen. Joe Lieberman, I-Conn., has not yet provided a timeline to release his committee’s cybersecurity bill.
Some Senate Republicans offered light praise for the president’s order, which they said will drive the Senate debate and identify gaps in national cybersecurity policy which should be filled with legislation. Senate Commerce Ranking Member John Thune, R-S.D., said he was initially “skeptical” of the president’s cybersecurity order but said it “may provide an opportunity for Congress to find common ground on other steps that will improve our cybersecurity.” Homeland Security and Governmental Affairs Ranking Member Tom Coburn, R-Okla., commended the president for showing “real leadership” with the executive order, and said lawmakers “need to come behind and shore it up.”
The ghosts of last year’s bitter cybersecurity debate surfaced as some lawmakers bemoaned the partisanship that sunk the Senate cybersecurity bill, S-3414, in the last Congress. Rockefeller griped that lawmakers have “wasted an awful a lot of time by turning an urgent national security issue into a partisan political fight.” Cybersecurity legislation tanked last year after the Senate was unable to come to an agreement over the inclusion of baseline, voluntary cybersecurity best practices for owners and operators of critical infrastructure, among other disagreements. Coburn added that he thought the reason that cybersecurity legislation failed last Congress was “a disagreement on the liability protection provisions” in S-3414. “We have to get past that one issue” and address the others, he said. Sen. Ron Johnson, R-Wis., noted that another reason for the failure of last Congress’s cybersecurity bill was that “last time there was an assumption that business had to be dictated to.” But he said that following the release of the executive order “it sounds like the reaction from businesses has changed pretty dramatically.”
Homeland Security Secretary Janet Napolitano said Congress must support the president’s cybersecurity order by enacting “a suite of comprehensive cybersecurity legislation.” She said legislation should offer privacy and civil liberties safeguards, further increase information sharing, give law enforcement “new tools to fight crime in the digital age” and provide DHS with greater freedom to hire qualified cybersecurity professionals, among other items. Napolitano urged Congress to address the sequester, which she said would require the government to “scale back critical capabilities for the defense of federal networks.” Specifically she said the sequester will delay the rollout of the government’s Einstein 3-Accelerated threat detection program “by at least one year,” cause DHS to reduce the number of cybersecurity professionals and cause the federal government to cancel its cybersecurity readiness exercises.
Napolitano suggested the agency may provide some private sector incentives like giving federal procurement preferences to those who comply with cybersecurity guidelines and a seal of approval for those who meet the standards. Such incentives are necessary because “the market itself has not provided sufficient incentive yet to voluntarily raise their standards,” she said. The president’s order directs DHS to identify which critical infrastructures are at the greatest risk for attacks that could result in catastrophic effects on public safety, economic security or national security. The order also tasks DHS with overseeing the private sector’s implementation of NIST’s forthcoming cybersecurity standards and offering incentives to adopt them. Homeland Security, Commerce and Treasury departments are required to detail their final recommendations on incentives to the White House in June.
Napolitano slammed the House Cyber Intelligence Sharing and Protection Act (CISPA) for its “deficiencies” including a lack of privacy protections to govern its provisions for information sharing. “Real-time information sharing is critical but it isn’t the only concern we have in this arena,” she said.
NIST aims to work collaboratively with industry to help companies address the cybersecurity risks they face, testified Patrick Gallagher, NIST director. The president’s cybersecurity order directs NIST, in collaboration with U.S. companies, to lead the federal development of voluntary cybersecurity standards and best practices. He said such a framework will likely include industry-driven “standards, processes and methodologies” to help owners and operators of critical infrastructure to secure their systems. Much of NIST’s effort is about promoting “good cyberhygiene and putting it into practice robustly” and working on “adaptive” cybersecurity techniques, he said. Gallagher added that such cybersecurity standards will not be static and will be industry-driven and voluntarily adopted. “This will work best of all when good cybersecurity is good business. When that alignment happens that is when the magic happens,” he said. Gallagher said he’s hopeful the sequester will have a minimal impact on NIST’s industry coordination and development of cybersecurity guidelines but said he’s concerned it could impact the agency’s long-term ability to provide technical support.
Government Accountability Office Director-Information Security Issues Greg Wilshusen testified that Congress should develop legislation that synthesizes the evolution of the government’s cybersecurity strategy, according to his written testimony. Wilshusen said legislation is needed to clarify the responsibilities of the agencies tasked with securing critical infrastructure and determine what oversight roles are needed to ensure the president’s cybersecurity order is implemented successfully.
Dow Chemical Company Executive Vice President David Kepler said that the most common cyberattacks his company faces are basic computer viruses. “What we are challenged with the most are from highly resourced institutions … some countries and some criminal organizations,” he said. “That is a big problem.” Kepler told lawmakers that cybersecurity risk management is more important than developing basic cybersecurity standards. “The problem we want to solve is defining risk management.”