White House, Congress, Private Sector Push Toward Cybersecurity Framework, Proposals

Over the last 20 years, government coordination with industry on cyber issues “has become a policy priority, not just in our government here … but also internationally,” said Christopher Painter, coordinator for cyber issues at the State Department. In previous efforts, government and industry were doing work in different silos and “there really wasn’t good communication, collaboration or a sense of what our overall goal was,” he said. The release of President Barack Obama’s international strategy for cyberspace (WID May 17 p2) is significant, Painter said. It took trends in cyber activity “and put them under one strategic framework, not just for our government to better organize, but also it’s a message to the rest of the world of what we stand for as a country and what we're trying to achieve,” he said.

There are initiatives being developed in both houses of Congress. The Senate is working toward comprehensive cyber legislation, said Tommy Ross, aide to Senate Majority Leader Harry Reid, D-Nev. The process involves building a broad coalition of government, private sector and other participants “to come to a consensus opinion about the steps that we need to take to defend ourselves as a nation,” he said. One goal of the coalition is to avoid being bound by jurisdictional lines, he said. Reid tried to “put in place a structure that allows for cross-jurisdictional work so that what we come up with here is truly reflective of that cross-governmental approach and is not biased by jurisdictional lines.” The coalition also will work toward “developing governing philosophies and significant policy proposals that can set us in the right direction,” he said.

Legislation should not focus on solving every problem, Ross said. It’s intended to position the government “so that it has the tools it needs to solve these problems,” he said. The framers should focus on governance issues, the authority of the government and information sharing, he said. “I don’t think we will have done our job as a Congress unless we can put some sort of authority in place to allow everyone to work in a collaborative way to do cybersecurity from .mil, .gov [and] .com."

House Speaker John Boehner, R-Ohio, and Rep. Mac Thornberry, R-Texas, are planning to launch a cybersecurity working group, said Michael Seeds, aide to Thornberry, chairman of the Subcommittee on Emerging Threats and Capabilities. The idea is for the working group to establish policy priorities and policy goals to “help guide the committees to make sure that the individual pieces that they are working on are working towards a coherent fashion,” he said. The main issues to be addressed by the group are “finding the right incentives to elevate cybersecurity generally,” “examining the variety of laws related to cybersecurity that could be updated” and “utilizing some of the knowledge that we have in cyber command and leverage those to help protect other areas of government and critical infrastructure,” he said.

The public and private sectors must continue to address how best to leverage their partnership, said Liesyl Franz, TechAmerica cybersecurity public policy vice president. An information-sharing policy could remove barriers to protecting critical infrastructure, she said. The government and industry must determine “what information is valuable to whom and when,” she said.

The government must be sure to do no harm, Seeds said. “We have to recognize that cybersecurity is not the end goal, that it is the means to an end to keep the Internet open and free and we want that innovation to continue.” This will be a “measuring stick” for House proposals, he added. Incentives are important, but they can’t do everything, Ross said. “I don’t think we can be completely relying on incentives. We ought to have assurance that our key national security assets are not going to be in danger.”