Creating Senate Cyber Bill is Akin to Sausage Making
The adage attributed to the 19th century German Chancellor Otto von Bismarck seems apropos for the cybersecurity legislation introduced last week by Sens. Joseph Lieberman, Susan Collins and Tom Carper:
"There are two things you don't want to see being made - sausage and legislation."
What makes this bill like sausage making are its provisions establishing two cybersecurity "czars" - one in the White House and another in the Department of Homeland Security. Simply, the job of the director of the White House Office of Cyberspace Policy would focus on policy whereas the director of DHS's National Center for Cybersecurity and Communications would concentrate on tactics. But the nearly 200-page bill baffles some of the brightest people in Washington with what seems to be overlapping responsibilities between the two positions.
Why have two senior cybersecurity officials? The answer is the insistence of Collins, the Maine Republican who is the ranking member of the Senate Homeland Security and Governmental Affairs Committee, which is chaired by Connecticut Independent Lieberman and in which Delaware Democrat Carper serves as a subcommittee chairman with IT security oversight.
For more than a year, Collins has been championing the placement of the senior-most federal IT security official in DHS rather than in the White House. Here's what she said last November:
"Effectively managing government cybersecurity is going to require more than a few staff crammed into a cubicle in the depths of the White House."
Lieberman wanted Collins' name on the bill, although most lawmakers who have expressed an opinion on the matter seem to back the idea of establishing one Senate-confirmed top cybersecurity official in the White House; indeed, that's how the House voted on its cybersecurity reform legislation that passed late last month as part of a defense authorization bill.
I asked Jim Lewis - a senior fellow at the Center for Strategic and International Studies, the bipartisan policy organization that sponsored the Commission on Cybersecurity for the 44th Presidency, which he serves as project director, whether the bill's convoluted wording was, in part, because of the need to get Collins' buy in. Lewis' response:
"Yeah, that's the explanation. What I was told was that this was member-level issue, meaning that some members wanted White House, and at least one member wants it in DHS, and the way they tried to fix the problem was by splitting the baby.
Lewis thinks giving the White House strategic responsibility and DHS tactical responsibility for civilian-agency cybersecurity is a good plan. But ...
"It's not clear form the language that's exactly what they meant. Part of it was that when they started out (drafting the legislation), the DHS person was going to be reporting directly to the president, and exercising a lot of authorities that are really more appropriate for the White House. So, they scaled that back, but it still shapes the languages. The lines of responsibility aren't as clear as they need to be. Again, that's a fixable thing. The general theory is good but they got to work on the language."
Here's where I disagree with Bismarck: As Congress tries to come up with language for a final cybersecurity bill that can win a majority of votes in both houses, it could be fun watching the legislators make the sausage.