The House Homeland Security Subcommittee on Cybersecurity held a hearing Thursday on the president's executive order mandating the development of a cybersecurity framework, and it is clear the issue of whether that framework becomes regulation by proxy remains a concern to Republican leadership on the subcommittee.
Hearing witnesses from the National Institute of Standards and Technology (NIST) and the Department of Homeland Security assured the subcommittee that the they were still focused on a voluntary framework and that the "buy-in" from industry stakeholders would be critical to the success of the program.
But Robert Kolasky from the Department of Homeland Security, who is among the officials overseeing the cybersecurity standards-setting process, said the Administration still believed a "comprehensive suite" of legislation was needed to buttress the order. Those include facilitating information sharing with government, something the president could not order, privacy and civil liberties protections, incentivizing adherence to voluntary best practices and data breach reporting requirements.
The president in February issued an executive order on cybersecurity mandating a public-private partnership to protect critical infrastructure.That includes broadband providers, whose networks are critical components of those systems, and how representatives worked with the Administration as it prepared the order.
That order came after Congress failed to come to agreement on cybersecurity legislation in the last Congress, despite agreement that cyber threats were growing and needed to be addressed. The Administration had soon after threatened the order, while saying legislation was also still needed.
The order requires the Secretary of Commerce to direct the head of NIST to head up the development of a voluntary cybersecurity protection framework that "shall include a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks." An initial framework must be ready within 240 days of the date of the order (Feb. 12, 2013). That means the draft must be finalized by October.
NIST released a draft of that framework July 2.
Subcommittee chairman Patrick Meehan (R-Pa.) suggested he was concerned that all the "shalls" in the president's order could morph into regulations that could lock industry into a regime that would be insufficiently flexible and work against innovative and effective responses to cyber attacks, or provide a false sense of cybersecurity if it became a "check the box" procedure.
He said the key was to incentivize participation in guidelines without "onerous standards." Meehan also said that Congress needs to pass legislation to provide liability protections for industry info sharing.
Republicans have backed, and passed, a House information-sharing bill, CISPA, that is also supported by the cable industry. Sen. Jay Rockefeller (D- W. Va.) has pledged to work on a Senate bill that would include greater privacy protections.
Both Meehan and ranking member Rep. Yvette Clarke (D-NY) expressed some concern that NIST had back in may circulated a draft of ways to incentivize private industry participation, but that they were only now seeing copies of it.
