The Obama Administration talked up a collaborative, voluntary
and stakeholder-driven cybersecurity best practices framework at a Senate
hearing Wednesday, but also said Congress should legislate that voluntary
framework.
That came in an unusual joint hearing between the Senate
Commerce Committee and Homeland Security Committee on implementing the president's
executive order establishing that voluntary framework.
Senators from both committees and on both sides of the aisle
agreed that cyberattacks were a growing threat that needed a coordinated
government response. Several senators said they thought there was a possibility
for consensus legislation in this legislation -- attempts to do so failed in
the last Congress.
But Rockefeller and the two administration witnesses,
Department of Homeland Security Secretary Janet Napolitano and Patrick
Gallagher of the National Institute of Standards and Technology, agreed that
Republican-backed House legislation that dealt primarily with information
sharing was not sufficient to address the problem. NSA is charged by the White
House with facilitating and providing technical support for the industry-driven
cybersecurity framework.
That House bill, which is backed by the National Cable and
Telecommunications Association was reintroducedthis session by Rep. Mike Rogers.
Napolitano said a "suite" of legislation was
needed that would 1) incorporate privacy and civil liberties; 2) create
information sharing standards; 3) provide additional tools to fight cybercrime;
4) create a data breach reporting requirement; and 5) give DHS hiring authority
equivalent to the National Security Agency.
In his opening statement, Senate Commerce chairman Jay
Rockefeller (D- W.Va.) said that an attack on a private company was the same as
an attack on the entire nation when it involved critical infrastructure; melding
up government and private interests was one of the things that made the
cybersecurity issue a difficult one.
Sen. Mark Warner (D-Va.) said that he was concerned about a
voluntary framework without some kind of legislative enforcement backstop
because a company who did not volunteer could become an entry point for attacks
on participants who were using those best practices. Warner said that given the
increase in attacks, he said he saw some movement in the business community for
having an enforcement mechanism.
Republican Sen. Tom Coburn (R-Okla.) praised the president's
executive order, but also said he was concerned about the government role in
securing cybersecurity given its own issues with protecting the government's
computer systems.
Gallagher repeatedly emphasized that the voluntary cybersecurity
framework created by the president's executive order was just that, and that he
wanted industry to come up with that framework. Napolitano said that the
government would use carrots rather than sticks for industry, including
procurement and contract incentives for adopting standards.
Gallagher said the goal is to set standards, and have
industry decide how best to do that. Napolitano said that to the extent that
this is a national security interest and the government is leaving it to industry,
that is a first, and a "grand and bold experiment," rather than a
top-down government process as is usually the case with national security.
Gallagher suggested an added benefit of having the industry
drive the framework is that the government sequester cuts would not have much effect
on that process, as opposed to a government top-down process.
Asked why there seemed to be a shift in the industry,
Napolitano suggested it was because the president involved them in the creation
of the executive order itself, and because the administration did not stop work
when the Democrat-backed bill failed in the last Congress.
