Pros and Cons of a Cybersecurity Bill
Jim Lewis of Commission on Cybersecurity for the 44th Presidency
"The idea that the White House person sets strategy and the DHS person implements it (is) a good plan," Lewis said in an interview with GovInfoSecurity.com (transcript below). "But, it is not clear from the language that that's actually what they meant. ... The lines of responsibility aren't as clear as they need to be, which is again, a fixable thing. The general theory is good but they have got to work on the language."
We asked Lewis to analyze the bill soon after its introduction but shortly before the Senate Homeland Security and Governmental Affairs Committee chaired by Lieberman approved the measure. Technically, the bill is before the full Senate, but in reality it's likely to be combined with other cybersecurity bills before the Senate.
Why ask Lewis to analyze the complex, nearly 200-page bill? In regards to technology policy and the federal government, Lewis is one of the most connected and highly respected thought leaders in Washington
James Lewis is a senior fellow and director of the technology and public policy program at the Center for Strategic and International, a not-for-profit, bipartisan public policy institute. Lewis also serves as the project director of the center's Commission on Cybersecurity for the 44th Presidency, which issued a report in December 2008 that served as the foundation for much of the cybersecurity legislation introduced during the 111th Congress, including the Protecting Cyberspace as a National Asset Act.
According to his biography on the center's website, Lewis' research involves innovation and economic change; Internet policy and cyber security; space programs; and intelligence reform.
Before joining CSIS, Lewis served a member of the U.S. Foreign Service and Senior Executive Service, where he worked on national security and technology-related issues. The policies he helped to shaped include counterinsurgency in Asia and Central America, military basing in Asia, conventional arms transfers, commercial remote sensing, high-tech exports to China and Internet security. Lewis led the American delegation to the Wassenaar Arrangement Experts Group for advanced civil and military technologies. He also was assigned to the U.S. Southern Command (for Operation Just Cause), the U.S. Central Command (for Operation Desert Shield), and to the U.S. Central American Task Force.
Lewis has authored numerous publications since coming to CSIS, including Securing Cyberspace in the 44th Presidency; Building an Information Technology Industry in China; Waiting for Sputnik: Basic Research and Strategic Competition; Globalization and National Security; Spectrum Management for the 21st Century; Assessing the Risk of Cyber Terrorism; China as a Military Space Competitor; and Preserving America's Strength in Satellite Technology.
Lewis received his Ph.D. from the University of Chicago in 1984.
ERIC CHABROW: What do you think of Protecting Cyberspace as a National Asset Act?
JAMES LEWIS: I generally like it; it does a lot of things that need to be done. I would say there are three issues that they are going to have to work through.
Issue one is it's still kind of complicated. I mean I screamed last night; I had seen an earlier version that was only about 60 pages and last night I got a version that was 197 pages and I was like, what happened? They need to sort of de-complicate it a little bit, especially when they get into prescribing some things for DHS.
The second issue is the relationship of how the new DHS thing will relate to the White House, and how it relate to the rest of the department. I think that is going to need some more scrutiny. How does it relate to the undersecretary for infrastructure protection? What is the relationship to OMB and to this new cyber office at the White House? Not impossible issues, but ones they are going to have to think about and DHS can do certain things and there are other things they can't do so they need to maybe take a step back and ask what are good missions for DHS and how does it fit with the other things we are talking about.
The third thing is the regulatory structure, which is great. It is fabulous that they have put that in DHS's ability to require the private sector to do certain things, but they put in these alternate measures section that basically says if I am the director of this new DHS office and I tell you that you have to put a lock on your door, and you come back and you say you haven't done a lock but you have put on masking tape and you assert that that is the equivalent of what I've asked, then I can't object to that without some sort of real complicated process. So they need to strengthen the regulatory part a little bit, but overall, a very good bill.
CHABROW: On the regulatory matter, do you think it was written that way because of just the feeling among some people that they just don't want to have government regulating too much?
LEWIS: The intent is good, which is that you don't want government writing prescriptive regulation. I think that is right. You don't want DHS trying to tell industries how to do their business, but you do want DHS to be able to set reasonable goals and then make people meet them. They admit to that in principle but I think the way it is drafted it gives a little too much wiggle room.
If we had this discussion and I said you need a lock and you said I've got masking tape, if that is equivalent then I can't object to it. Who decides that it is equivalent? Well, that's the director. What if the director says it isn't equivalent and the company says it is? What happens then? The answer is you go to court, not a good outcome for a regulatory agency. Not an impossible problem to fix but a fixable problem.
CHABROW: Why do you think they decided to have two senior cybersecurity officials, one in the White House and one in DHS? Was any of that part of Sen. Susan Collins' insistence that a lot of the control be in DHS?
LEWIS: Yes, that is the explanation. What I was told is this was a member-level issue, meaning that some members wanted White House and at least one member wants it at DHS, and the way they tried to fix the problem was by splitting the baby.
CHABROW: But it can work?
LEWIS: Again, this is where the bill is basically good. The idea that the White House person sets strategy and the DHS person implements it, which is not a bad plan, that's a good plan. But, it is not clear from the language that that's actually what they meant and part of it was you know when they started out the DHS person was going to be reporting directly to the president and exercising a lot of authorities that are really more appropriate for the White House and so they scaled that back, but it still shapes the language.
The lines of responsibility aren't as clear as they need to be, which is again, a fixable thing. The general theory is good but they have got to work on the language.
CHABROW: But the idea of having a Senate conformed person in the White House and DHS is not necessarily a bad idea; I mean it gives Congress an easier way to provide oversight.
LEWIS: It is a religious issue. The White House isn't going to object to Senate confirmation at an agency, they are just not going to accept Senate confirmation at the White House, and at the same time the Congress always wants Senate confirmation. It is a religious issue and they will have to work it out in the final details, but it's not a big deal for me.
CHABROW: Is it enough to block the bill by having a confirmable cybersecurity director in the White House?
LEWIS: If the White House really wants something they will go along with confirmation. If they don't want something very badly, and I don't think there is much they are going to want in this bill, then they will block it unless you take that part out. That is the end game.
CHABROW: Are you just saying then that there isn't much in this bill that the White House wants?
LEWIS: I think that's right. I think the White House is kind of working through what they want as a strategy and this bill forces the pace for them.
CHABROW: If it passes do you think it will be signed?
LEWIS: Yes, if it passes, that's right.
CHABROW: Let me ask you about that, if it passes. Talking to some people it seems they are more optimistic today and the House has passed its version of the bill through the defense authorization bill and you have this bill getting support from Sens. Jay Rockefeller and Olympia Snowe (sponsors of other cybersecurity legislation). How do you see today versus a week or two ago of cyber security legislation passing in 2010?
LEWIS: I still think there is a good chance. Te positive scenario is they will spend the next three or four months cobbling the bills together, they will get it up for a vote, and my bet is that we are about to go into election season so they are not going to be paying attention. But when they come back after the elections there is a good chance that this could, if they have the package done, there is a good chance this could go through.
CHABROW: Could it be part of the Senate version of the Defense Authorization Bill?
LEWIS: I don't think so. It is possible they will slip some of in it but I don't think that's what they want to do right now. I don't know that for sure though.
CHABROW: If they pass their own bill, but the House bill's part of Defense Appropriations, is there a way they could work that in conference or would they then have to send their bill over to the House and the House would then have to consider it and then go to conference at that point?
LEWIS: There are two issues. The first is that Rockefeller-Snowe and Lieberman-Collins go into a lot of areas that House bills don't, and the second is that the House bill is very much just in the White House. There is a lot of overlap but there are a few issues they need to work out. Does the House then add in the rest of the Senate stuff, and they will have to go through this drill of who is in the lead, is it the White House or is it DHS, that is a debate they are going to have to have either way.
It could be slipped into the National Defense Authorization Act, but you know I think that the issues are such that I think they might want to do it as an independent, as a standalone.
CHABROW: Is this bill really needed?
LEWIS: Yes. The things it does are things we should have done a while ago. It has some great stuff in it. The part about the no bonuses for agencies that haven't secured their networks, we have seen tremendous disasters at some of the civilian agencies and nothing really happened, right? Or it took months for something to happen and if there is a disaster and the leadership at the agency finds out that it can't get any bonuses, I bet you this will become priority No. 1 the very next day.
There is some stuff in this bill, the stuff on regulation, the stuff on presidential authority, the stuff on budget review, all that stuff is great, the stuff on standards. The Rockefeller workforce and standards things are just essential and these bills would really make a big improvement.
Now that said, people are going to scream and say they are not perfect, they need work and all of that is true. They are not perfect and they do need work, but if we can pull them together into a good package I think it would make a big improvement. And, I say, we because it is clear that the committees are very interested in consulting with the private sector and with outside experts; they are not trying to jam something down peoples throat. They are making an effort and this know this has to be a team effort and they are trying to do that.
You know they have worked really hard on it and there are still some issues that they will need to sort through, but I think overall it is in pretty good shape with those couple of exceptions, the regulatory exception and the role of DHS exception. Major issues, I am not sure how they will resolve them; the rest of the bill is pretty good though.
Follow Eric Chabrow on Twitter: @GovInfoSecurity
Suzanne Spaulding, a top Department of Homeland Security official, says the nation's IT security...
Latest Tweets and Mentions
Suzanne Spaulding, a top Department of Homeland Security official, says the nation's IT security...
The ISMG Network
OWASP's Soi on Securing the Application Lifecycle
Analysts Ponder Who Could Be Targeted Next
Gartner's Girard on Key Security Challenges in Mobility
Expert Explains Key Credentials for Healthcare InfoSec Pros
Why Workforce Training Isn't Enough
Juniper's Paul on What 'Layered Security' Really Means
Vasco's Dica on Authentication Trends in the Indian Market
Security Leaders Welcome Help Setting New Standards
Security Leaders Embrace Concept, But Cite Challenges