The Public Eye with Eric Chabrow

Creating Senate Cyber Bill is Akin to Sausage Making

Creating Senate Cyber Bill is Akin to Sausage Making

The adage attributed to the 19th century German Chancellor Otto von Bismarck seems apropos for the cybersecurity legislation introduced last week by Sens. Joseph Lieberman, Susan Collins and Tom Carper:

"There are two things you don't want to see being made - sausage and legislation."

What makes this bill like sausage making are its provisions establishing two cybersecurity "czars" - one in the White House and another in the Department of Homeland Security. Simply, the job of the director of the White House Office of Cyberspace Policy would focus on policy whereas the director of DHS's National Center for Cybersecurity and Communications would concentrate on tactics. But the nearly 200-page bill baffles some of the brightest people in Washington with what seems to be overlapping responsibilities between the two positions.

Why have two senior cybersecurity officials? The answer is the insistence of Collins, the Maine Republican who is the ranking member of the Senate Homeland Security and Governmental Affairs Committee, which is chaired by Connecticut Independent Lieberman and in which Delaware Democrat Carper serves as a subcommittee chairman with IT security oversight.

For more than a year, Collins has been championing the placement of the senior-most federal IT security official in DHS rather than in the White House. Here's what she said last November:

"Effectively managing government cybersecurity is going to require more than a few staff crammed into a cubicle in the depths of the White House."

Lieberman wanted Collins' name on the bill, although most lawmakers who have expressed an opinion on the matter seem to back the idea of establishing one Senate-confirmed top cybersecurity official in the White House; indeed, that's how the House voted on its cybersecurity reform legislation that passed late last month as part of a defense authorization bill.

I asked Jim Lewis - a senior fellow at the Center for Strategic and International Studies, the bipartisan policy organization that sponsored the Commission on Cybersecurity for the 44th Presidency, which he serves as project director, whether the bill's convoluted wording was, in part, because of the need to get Collins' buy in. Lewis' response:

"Yeah, that's the explanation. What I was told was that this was member-level issue, meaning that some members wanted White House, and at least one member wants it in DHS, and the way they tried to fix the problem was by splitting the baby.

Lewis thinks giving the White House strategic responsibility and DHS tactical responsibility for civilian-agency cybersecurity is a good plan. But ...

"It's not clear form the language that's exactly what they meant. Part of it was that when they started out (drafting the legislation), the DHS person was going to be reporting directly to the president, and exercising a lot of authorities that are really more appropriate for the White House. So, they scaled that back, but it still shapes the languages. The lines of responsibility aren't as clear as they need to be. Again, that's a fixable thing. The general theory is good but they got to work on the language."

Here's where I disagree with Bismarck: As Congress tries to come up with language for a final cybersecurity bill that can win a majority of votes in both houses, it could be fun watching the legislators make the sausage.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.