Jumble of Cybersecurity Bills Begs for Obama’s Intervention, Aide Says

Olcott’s own committee started a war of words with House Commerce, as bills being studied by both panels deal with security of the electric grid. House Homeland Security faulted the Commerce bill (HR-2165) for not covering some major urban grids and leaving out a role for the Department of Homeland Security (WID May 6 p6). The best-known bill comes from the Senate Commerce Committee, giving the White House authority to cut off private networks under attack. The House Science and Technology Committee plans three hearings this month on cybersecurity as well, though legislation hasn’t been introduced.

“One thing I'm always hearing is ‘nothing’s changed'” when it comes to cybersecurity overhaul efforts, Olcott said. But Obama’s plan released Friday has signaled to lawmakers that “we actually have to do stuff,” and it’s nuanced enough that “you can read anything into that report,” making it popular with both free-market and pro-regulation supporters. Lawmakers may get antsy and “take a leadership role” if the cybersecurity coordinator slot in the Obama plan isn’t filled quickly, though, Olcott said. Congressional efforts have been harmed by the heavily classified nature of the Bush administration’s Comprehensive National Cybersecurity Initiative, he added.

A flurry of bills is competing with each other because of “one notable absence” in Rule 10, which governs committee jurisdiction in the House, Olcott said. The rule doesn’t mention information technology or cybersecurity, so any committee that writes a bill “doesn’t really know where it’s going to go … It was nobody’s responsibility before.” Olcott staked House Homeland’s jurisdictional claim on the subject, pointing to an “extensive hearing record” last Congress, though he conceded House Commerce’s jurisdiction over the Federal Energy Regulatory Commission made conflict inevitable. He toned down the earlier line drawing by House Homeland leaders, saying the bills do “similar things” and differences will be ironed out. The situation is dicier in the Senate, with the Commerce bill wading unmistakably into Senate Homeland Security’s territory, Olcott said. Obama’s guidance could really come in handy, he added.

Companies seem to be warming to Obama’s plan, though hurt feelings evidently remain from past criticisms of companies’ private security efforts. Larry Clinton, Internet Security Alliance president, said industry leaders “have their fingerprints all over” the plan, and “I'd be very comfortable” if the coordinator slot went to Melissa Hathaway, who led the administration’s 60-day policy review. The plan improves on the Bush administration’s 2003 cyberspace strategy by recognizing that “the market does not create itself out of Adam Smith’s invisible hand,” Clinton said.

The private software standards group SAFEcode has long shared best practices and is next embarking on a study of supply-chain risks, said Tiffany Jones, Symantec chief of North American government affairs, who helped draft the 2003 Bush plan. Though industry groups are working on protections for sharing classified data and intellectual property, “to date the industry has not been formally approached” to help with R&D, she said. “That’s a detriment, actually, to the government,” because companies spend more on R&D “than the government ever will.” Industry also will tell the administration to think globally when devising rules, since they “don’t want to have to comply with 50 or 100 different standards or certifications” developed by each country, Jones said.

Robert Dix, Juniper Networks vice president of government affairs and critical infrastructure protection, was more diplomatic. The “cultural” barriers are falling, and several “pilots” are emerging from industry efforts within the Bush plan, he said. The first-ever comprehensive risk assessment of the IT sector is about to come out, and it will produce “tangible results.” What’s still missing is a round-the-clock, public-private operations center that can quickly respond to threats such as Conficker, Dix said.

Lagging efforts at security mainly come from inability to measure progress, said Marcus Sachs, a Verizon executive who held several cybersecurity roles under Bush and helped draft the 2003 plan. “This is where we're stuck right now -- trying to measure security.” Industry can talk about “the ‘R’ word,” regulation, once metrics are devised. Jones said she was tired of hearing “’the private sector is not doing enough.’ Not once have I ever heard any clear articulation about what it is that we are not specifically doing to address certain gaps and challenges. Specifics, not generalities.” The onus is on government to set a “minimum threshold for cybersecurity hygiene” when it comes to procurement contracts, Dix said, pointing to precedent from the payment card industry’s strict standards.

In fixing the overclassification problem often associated with the Bush plan, “we have to be careful in our zeal for sharing,” Sachs said. A global company like Verizon may be told something “inadvertently” in a U.S. cybersecurity context that gives it a competitive advantage overseas, he said. The subcommittee’s Olcott pointed to a similar difficulty for lawmakers as they try to balance cybersecurity against public fears of invaded privacy. The Senate Commerce bill’s “red button” -- White House authority to cut off networks -- has been mentioned endlessly in the media, he said. “We have to sell a lot of these ideas to the American people,” yet the concepts themselves are difficult for “lawmakers to get their arms around.” Imagine what it’s like for the public to “hear ‘1984’ is coming today.” Olcott asked companies in the audience to “help us craft a better way of discussing some of these big picture ideas.”