Is Letter Cry for Cybersecurity Leadership?
Senate Majority Leader Harry Reid and the leaders of six committees that have cybersecurity legislation before them have sent a letter to President Obama seeking his views on White House and congressional efforts to secure government IT.
Or, is the letter a not-so-subtle hint to Obama to get him to tell lawmakers what he would want in a new cybersecurity law?
Melissa Hathaway, who last year led President Obama cyberspace review, characterized the letter as an important gesture from a Congress that truly wants to partner with the president on cybersecurity legislation.
In the letter dated July 1, Reid and committee Chairmen Patrick Leahy of Judiciary; Carl Levin of Armed Services; John Kerry of Foreign Relations; Jay Rockefeller of Commerce, Science and Transportation; and Joseph Lieberman of Homeland Security and Governmental Affairs; and Select Committee on Intelligence Chairwoman Dianne Feinstein wrote that they are:
"...eager to hear your views on the optimal organizational structure, necessary updates and reforms to legislation and regulations governing communications networks and information systems, and additional authorities needed to facilitate effective government leadership and response to cyber threats and vulnerabilities."
The letter continued that the senators appreciated the president's prioritization of cybersecurity from the beginning of his administration, concluding:
"We know your administration will make it a priority to work with us toward comprehensive cybersecurity legislation that will secure and sustain the backbone of 21st century America."
The fact that senators write to the president isn't unusual, it's part of the "kabuki dance of policymaking," said Jim Harper, director of information policy studies at The Cato Institute, a libertarian think tank.
Still, as SANS Institute Research Director Alan Paller observed:
"What is remarkable is not that senators wrote a letter but that the committee chairman from so many powerful Senate committees chose to invest their prestige in making the case for cybersecurity.
Hathaway, now a senior adviser at the Belfer Center of Harvard University's Kennedy School of Government, pointed out that the dozens of cybersecurity bills before Congress take differing approaches. For instance, the Lieberman-Collins-Carper bill would place a government cybersecurity operational center in the Department of Homeland Security; a measure sponsored by Sen. Kit Bond would put that center under Defense Department auspices; and the legislation written by Rockefeller and Olympia Snowe of Maine would leave it to the president to decide. Said Hathaway, in our telephone chat Tuesday:
"Congress is really asking the president and the executive branch: What would they like; what's important to them?"
Jim Lewis, senior fellow at the Center for Strategic and International Studies and project leader of its Commission on Cybersecurity for the 44th Presidency, agreed, saying that he believes the senators are frustrated by the administration's slow response to their bills, writing:
"They've asked for administration views and haven't gotten a complete response. My guess that this isn't bad intent so much as being short-staffed. There just aren't enough people who know the issue.
The White House cybersecurity team is in transition. Several members detailed last year from other agencies to the White House have left or will soon leave as the terms of their temporary assignments expire. That could explain, in part, why Philip Reitinger, DHS deputy undersecretary for the National Protection and Programs Directorate, told Lieberman's committee three weeks ago that the administration is continuing to study the committee chairman's bill, the Protecting Cyberspace as a National Asset Act. At that hearing, Reitinger questioned provisions in the bill to create a new component within DHS that would focus on cybersecurity at a time the department seeks to address jointly physical and virtual threats.
Harper picked up that line of thinking:
"My suspicion is that Howard Schmidt and others in the administration have been tamping down on Congress' efforts because most of what Congress has produced so far has been overkill. In my opinion, the White House has been doing enough, and many in Congress want the federal government to do too much."
Whether the legislation is doing too much is arguable, though even some supporters of cybersecurity reform have noted the density of Lieberman's and a few other bills.
Reid has asked the chairs of the various committee's to come up with a comprehensive, omnibus cybersecurity bill that includes aspects of their respective measures, but it's clear the senators want to hear from the White House before they draft that bill, which could be introduced in September.
I asked the White House for a response to the senators' letter, and I'll post it if and when I receive one.