What Next? Cybersecurity Legislation in the Senate

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Still, a former chief technology officer of a major federal department who held other top-level government IT posts said he believes the House-passed bill or a Senate version of the legislation could pass on its own. The Cybersecurity Enhancement Act, in part, updates the High Performance Computing Act of 1991 that strengthens the role of the National Coordination Office - part of the White House Office of Science and Technology Policy - to coordinate cybersecurity research and development. "I see the House bill as a standalone and tied to the HPC Act of 1991, not likely to be tied to FISMA," the onetime CTO said.

A final decision on the legislation likely will occur during hard-nosed negotiations held behind closed doors in once smoke-filled rooms. The negotiators will include the key cybersecurity bills' sponsors, aided by their staffs. The Obama administration's new cybersecurity coordinator, Howard Schmidt, spent part of his first week on the job last month meeting with some of these players, and likely told them what the White House would like to see in a cybersecurity law. "I imagine Howard would be personally involved representing the administration's priorities in this area to the Senate," former federal CIO Karen Evans said.

But, as seen in the healthcare legislation, it's what the members of Congress want in a bill, and not necessarily the provisions the president seeks, that gets in the final version. Still, as Carper said last year, in shaping legislation, Congress would want to produce a bill the president will sign. "Sometimes we focus a whole lot on just getting something through the Senate without thinking about the executive branch or thinking about the House, and it has got to be that we think of those two as well, the administration and our House colleagues," Carper said in an interview with GovInfoSecurity.com.

Horse Trading

Though there's general agreement among lawmakers for the need for new laws to help secure the government IT systems and the nation's critical IT infrastructure, elements to any comprehensive cybersecurity measure will be a challenge to piece together. "I am sure there is a lot of horse trading around various items in the bills," a former Department of Homeland Security senior IT leader said.

The puzzle piece that's received the most attention this past year is how high up in the White House hierarchy should the president's IT security adviser be positioned? Schmidt does not report directly to the president, though President Obama has promised to meet with him from time to time. Schmidt reports through the national security adviser. Some lawmakers feel the current situation is fine; others, like Rockefeller and Snowe, seek to establish an Office of Cybersecurity with its Senate-confirmed chief - the current post requires no Senate approval - reporting directly to the president.

Another thorny issue is how much authority should be given to the Department of Homeland Security in overseeing other civilian agencies' cybersecurity budgets. One version of Carper's bill does just that, though it's unclear whether that provision remains. The role the National Security Agency plays in monitoring Internet traffic to and from government sites is another issue where agreement isn't guaranteed.

A potentially most divisive issue could be how much regulation the government should impose on businesses controlling the nation's critical IT infrastructure - about 85 percent of such IT systems are controlled by the private sector - a subject that could cripple a comprehensive cybersecurity bill. "If the bill starts to get heavily laden with new regulatory requirements or pull-the-plug language" - a reference to a provision in the Rockefeller-Snowe bill to authorize the president to shutter Internet traffic to and from federal systems in a cyber emergency - "then the legislation will get bogged down," said Greg Garcia, former DHS assistant secretary for cybersecurity and communications.

Still, the major roadblock to enactment of a cybersecurity law this year is all the other stuff going on in the nation and the world. Creating jobs, reforming healthcare insurance, fighting two wars and battling global climate take up a lot of bandwidth of the Senate, House and the president.

And then there's the November election for all of the House and one-third of the Senate seats. "Congressmen have to pay attention to being re-elected," CSIS's Lewis, who also serves as the project lead of the center's Commission on Cybersecurity for the 44th Presidency, said in a recent interview with GovInfoSecurity.com. "So sometime, starting in probably August, their attention will be focused on the election, and that means the CPU time available for significant new legislation will decrease."