Federal Security Board Bombards Aides on Cybersecurity Bills

"It’s been an interesting year,” said Commerce General Counsel Bruce Andrews, alluding to the controversy surrounding the Cybersecurity Act (S-773): “We got a little bit beat up” over its since-abandoned “kill switch” provision, which was simply a mechanism for “procedures.” The Cyber-ShockWave exercise that simulated a crippling cyberattack on the U.S. (WID Feb 17 p1) showed authority isn’t clear in an attack, he said. “Not everybody loved it from day one” but the feedback has made for a stronger bill, which now includes “collaborative designation” of critical infrastructure and access to classified information for senior business executives.

Criticism that S-773 is too focused on compliance isn’t surprising, Andrews said. “The private sector always says that,” and though he admitted the certification and training language for businesses was “hugely controversial,” Andrews said the exact language would come from a rulemaking process: “We're starting with a blank piece of paper on some level.” A provision tasking the National Institute of Standards and Technology with helping businesses on risk management is “not to put standards into place that become mandates,” but to identify best practices and require businesses to get independent audits, he said.

Those audits are meaningless without safeguards, board members said. Ari Schwartz of the Center for Democracy and Technology said companies that weren’t “up to snuff” after multiple audits should suffer publicly, perhaps having to disclose failures in their annual 10-K filing. That was in an amendment the committee rejected, instead choosing to mandate critical-infrastructure operators do a “remediation plan” for failing two consecutive audits, Andrews said. Peter Weinberger, senior software engineer in Google’s New York office, said the accounting industry couldn’t be trusted to do audits without oversight. “There’s only four big ones left,” he said: “No matter how badly they behave you can’t afford to get rid of another one.” But audits add “some level of accountability” that’s not dependent on federal oversight, Andrews said. He told Fred Schneider, computer science professor at Cornell University, “the private sector really pushed back” on government oversight in audits. “You're missing some opportunities for a lot of expertise and for cooler heads to prevail,” Schneider shot back. “You're setting means,” not goals, violating the spirit of S-773. Andrews told Gale Stone, deputy assistant inspector general for audit at the Social Security Administration, the government wouldn’t shut down operators for two failed audits, but would show them the “serious consequences” of a third failure. “You can’t underemphasize the importance of the government as a contractor,” Stone said.

Security consultant Lynn McNulty, a former National Institute of Standards and Technology official, said the Commerce bill’s scholarship-for-service program ignored the shortfalls in cybertraining among existing federal employees: “The country is probably not going to be saved by college kids.” Adam Sedgewick, professional staff member for the Homeland Security Committee, said agencies fell under its jurisdiction and his committee’s bill would address that. Schwartz said he was skeptical that the increased outlays for NIST and its cybersecurity lab would get support. “We live in a brutal budget environment and there’s no doubt it’s going to get worse,” Andrews conceded. But it should still be a priority, he said.

Cornell’s Schneider said the dashboard provision “puzzles me,” in part because it would only apply to the Commerce Department: “Why the arbitrary cut?” Andrews said the committee doesn’t have jurisdiction to expand it across all agencies. But Schneider was more concerned about creating an “attractive nuisance” -- a centralized reporting structure that invites intrusion by hackers. “We don’t have all our military assets in one location.” The White House has a situation room, effectively centralizing national security response, Andrews said. Sedgewick defended the dashboard, saying it’s something that chief information security officers will want.

The dashboard doesn’t offer centralized control over systems, but simply monitors their real-time status, Andrews said: No one is “pulling all the strings.” Schneider wasn’t satisfied. Hackers would have “one stop shopping” to tell if cyberattacks were working and find software vulnerabilities, he said. Brian Gouker, chief of community outreach at the National Security Agency, said information aggregated into the dashboard would probably need to be classified, opening a new can of worms. Sedgewick said the State Department already runs a similar reporting system and it’s not classified, but lawmakers would be quick to issue clearances if dashboard information were classified.

The Homeland Security draft bill is being debated between staff of Chairman Joe Lieberman, I-Conn., and Ranking Member Susan Collins, R-Maine, but will be introduced “within the next few weeks,” Sedgewick said. It likely will codify the White House cybersecurity adviser, giving the position budget and coordination authority, similar to the Office of Management and Budget’s information technology authority but not “duplicative,” he said. It will also codify the Department of Homeland Security’s cybersecurity responsibilities. The assistant secretary for cybersecurity’s duties are ill-defined and the committee is spending “a lot of time trying to spell that out,” including authorities over .gov and industry relationships, Sedgewick said. “Some part of it will be a mandatory risk-based approach” and requirements for the most critical infrastructure.

Federal Information Security Management Act reform is another part of the bill, and “the bulk” of a FISMA reform bill (S-921) by Federal Financial Management Subcommittee Thomas Carper, D-Del. (WID Oct 30 p4), will be included, Sedgewick said. “We can then marry up” FISMA requirements with DHS responsibilities, while excluding provisions on procurement and the U.S. Computer Emergency Readiness Team in Carper’s bill, because Lieberman’s will go into them in much greater detail, he said. The bill also will cover the Federal Desktop Core Configuration (FDCC) program and training provisions. “Early next week” the committee will release two GAO reports it requested on the implementation of FDCC and the Trusted Internet Connections initiative that are “fairly critical,” Sedgewick said.

There’s interest on the committee in moving the Lieberman bill quickly through hearings and markup, but they might shop around a draft first, Sedgewick told CDT’s Schwartz. Asked if it would be a “committee product,” Sedgewick said “that’s the plan,” but noted there were “one or two more substantial” disagreements between Lieberman and Collins. The ranking member made clear she wants a cybersecurity office in DHS and not the White House, but that’s a minority view, Andrews said. Senate Majority Leader Harry Reid, D-Nev., is personally coordinating the work of the various committees with a piece of cybersecurity authority, including Judiciary, Armed Services, Foreign Relations and possibly Banking, Andrews said. “The fact that there’s not as much movement in the House doesn’t inspire me.”