Cybersecurity Authority Must Go to White House, Subcommittee Hears

Langevin said he and McCaul were starting the House Cybersecurity Caucus to pursue the subcommittee’s work beyond its jurisdiction. The caucus will raise awareness and allow lawmakers on various committees touching on cybersecurity to discuss challenges, Langevin said. He said he has received “great support from a number of members,” and the caucus will have a formal kickoff in January. Tuesday’s hearing was the last for the subcommittee this Congress, though the commission will testify Thursday at the House Intelligence Committee.

While not recommending any transfer of authority from DHS, David Powner, director of information management issues at the GAO, said the department is in disarray on cybersecurity. The GAO released two reports on DHS cybersecurity Tuesday. The National Communications System and National Cyber Security Division have “duplicative and overlapping operations,” and the duties of the new National Cyber Security Center must be reconciled with those of the assistant secretary for cybersecurity and communications and the division, Powner said. Many in business believe the White House should be the cybersecurity authority, he said. The government must decide whether some industries need higher-priority cybersecurity protection because of their importance, he said. The “lessons learned” from the second Cyber Storm exercise, a weeklong mock attack that involved several security companies (WID March 14 p4), won’t be available until December, though the next Cyber Storm exercise is already in planning, Powner said.

The commission’s recommendations to the next president should be finished by November, said Jim Lewis, director of the technology and public policy program at the center, who leads the commission. General recommendations will include the need for “credible offensive capabilities” to deter cyberattacks, he said. Noting the commission’s long debates on a broad range of subjects (WID June 5 p2), Lewis said they concluded -- over his initial objections -- that only the White House can handle cybersecurity duties. “This is not a call for a czar,” a position that historically has been “marginalized,” he added. To restore trust in public-private partnerships, the government should narrow the range of priority industries for cybersecurity, Lewis said -- electric grid, telecom and finance. Critical infrastructure must have more regulation but not a “prescriptive command and control” framework.

The U.S. isn’t ready for a major cyberattack, Lewis and Powner told Langevin. DHS’s authority has only been weakened as other agencies took their own lead on cybersecurity, Lewis said. Paul Kurtz, former cybersecurity adviser to President Clinton and commission member, said the department has “several people with their hands on the steering wheel and there’s really no common direction,” he said. Asked by Langevin who should have budgetary authority over cybersecurity if not OMB, Lewis said the Director of National Intelligence offers a good model. That office coordinates the intelligence budget but works with OMB to craft the President’s budget submission, he said. The problem is that OMB has inherent policy authority under the Federal Information Security Management Act, Kurtz said, so it may have the budgetary “veto power” that Langevin feared. A FISMA revision may be in order, Kurtz said.

Despite its support for added regulation, the commission is “looking to do this in as light as manner as possible,” Lewis said. The electric, telecom and finance industries each have regulatory authorities and they only need a way to coordinate, perhaps through a new White House body that sets “minimum thresholds” for cybersecurity regulation, he said. A presidential-level advisory body -- perhaps along the lines of the President’s Export Council, which works with “affinity groups” in business -- could make companies more willing to share information on cybersecurity weaknesses, Lewis said.

Rep. Bill Pascrell, D-N.J., said the Bush administration has been a “disaster” on cybersecurity. “They announced a new initiative and they over-classified everything,” with Congress begging for months to get some details, he said. Pascrell alluded to an ITAA conference Monday that featured administration officials talking about the effort in general terms (WID Sept 16 p3). “They had the gall to charge government employees $50 to attend it,” Pascrell said, when the administration should have briefed employees as a matter of course, he said. Kurtz said he was perplexed that the administration was “having an event at an association” instead of publicly describing the effort, “which is a good news story.” Several agencies briefed the commission, though “the White House in all cases discouraged people from participating,” Kurtz said. Lewis confirmed that commission members, all of whom have security clearances, have been briefed on the classified effort, and “there’s no reason to classify it.”

An ITAA spokesman told us the event, co-sponsored by the Northern Virginia Technology Council, was “open to anyone.” The $50 government rate was below the $75 rate for association members and $125 rate for the general public, he said. DHS has previously discussed the cybersecurity initiative at public events, the spokesman said.

Several commission members are involved with the major presidential campaigns and are working on setting up more detailed briefings with senior members of the campaigns, Lewis said at the hearing. They should take place within a month, he added.