Lieberman's Last Harrah on CybersecurityEnding a Career without Passage of IT Security Legislation
You've got to feel sorry for Sen. Joseph Lieberman.
The onetime Democrat turned Independent from Connecticut has been at the nexus of government IT and IT security reform for many of his nearly 24 years in the Senate, capped by the enactment of the E-Government Act of 2002, which included the Federal Information Security Management Act, he shepherded through Congress.
Lieberman is retiring at year's end, and in a letter dated Sept. 24 to President Obama, he all but concedes that legislation he has championed for years to change the way the federal government and nation governs IT security will not be enacted on his watch [see Senate Votes to Block Cybersecurity Act Action].
"A filibuster in the Senate derailed S. 3414, the Cybersecurity Act of 2012," Lieberman says in the letter. "This gridlock threatens to prevent the Senate from passing a cyber bill before the end of this Congress."
Joining most of the other prime sponsors of the Cybersecurity Act [see A Cybersecurity Dream Act Alternative and Obama Urged to Take Solo Action on Cybersecurity] - one exception is Maine Republican Susan Collins [We Can't Wait for Cybersecurity] - Lieberman calls on Obama to issue an executive order to create processes for the government and private sector to create IT security standards that businesses can voluntarily adopt and develop mechanisms for the government and business to share cybersecurity threat information, both key components in the Cybersecurity Act.
Lieberman chairs the Senate Homeland Security and Governmental Affairs Committee, and tells Obama that under the Homeland Security Act of 2002, the president has the clear authority to direct the Department of Homeland Security to conduct risk assessments of critical infrastructure, identify those systems or assets that are most vulnerable to cyberattack and issue voluntary standards for those critical systems or assets to maintain adequate cybersecurity.
"Though executive action cannot offer private sector entities liability protections for compliance with these guidelines, I urge you to consider other incentives that you can offer by executive action to companies that own critical cyber infrastructure and decide to comply with the cyber-defense standards that result from your executive order," Lieberman says.
The senator encourages Obama to go beyond provisions of the Cybersecurity Act to explore ways industry regulators can require owners of regulated critical infrastructure to adopt IT security standards.
"Executive action cannot make all the changes necessary to facilitate the type of information sharing we urgently need - only new statutory authorization will be sufficient," Lieberman says. "While the Senate failed to make these critical changes to the law, I hope that you will use your authority to the extent possible to facilitate greater cybersecurity information sharing."
Sad or not, it seems Lieberman won't get to sing his swan song.
Constituents Come First
Rep. Zoe Lofgren, the California Democrat who represents part of Silicon Valley, urges the Obama administration to limit any cybersecurity executive order it issues only to businesses that operate the nation's critical infrastructure.
Lofgren's congressional district is home to many Internet companies, and she says the executive order should clearly exclude non-critical online services, such as social networking, search engines and e-commerce networks.
"Imposing cybersecurity standards on non-critical systems can divert attention away from actions that are central to the function of American society and public safety while posing a negative impact on free expression, privacy, business operating costs and innovation in digital services," Lofgren says in a letter dated Sept. 20 to White House Cybersecurity Coordinator Michael Daniel.
"Cybersecurity standards for non-critical systems (are) better addressed through a transparent legislative process that affords technical experts and the public adequate opportunity for input," she says.
Lofgren's right: the likes of Facebook, Google and Amazon are not vital to the public safety and national security, but try to convince that to many Americans who depend on these types of online services to survive day to day.
See Also: What is next-generation AML?