Is Congress Risk Averse on Cybersecurity?Congressional Naysayers Seen Blocking Cybersecurity, Privacy Bills
"The problem we have got as a country is just that we have a whole lot of people who are good at saying no," said Lewis, senior fellow at the public policy institute Center for Strategic and International Studies, in an interview with GovInfoSecurity.com. "It is like a hockey game, where everyone is a goalie; we are really good at blocking shots, but we don't ever really score anything."
Why the negativity? Lewis says Congress is risk averse. The idea of modernizing laws for the 21st century is perceived as bad, he said. "It is just not a good way to approach things to start out by saying, 'I want to be like my grandmother when she drives on the interstate. I want to stay on the right side and go 20 miles an hour.' ... Don't tell me why we shouldn't do something; tell me what we should do."
In the second of a two-part interview with GovInfoSecurity.com's Eric Chabrow, Lewis also discussed the:
- Need for limited regulation of the Internet that won't stifle creativity.
- Challenges Congress faces in enacting meaningful cybersecurity legislation before campaigning begins for the midterm election.
- Latest threats to information security that the Commission on Cybersecurity for the 44th Presidency will soon make recommendations to resolve.
In Part 1 of the interview, Lewis graded President Obama's first-year cybersecurity performance and addressed the expected evolution of the White House cybersecurity adviser's job and the challenges confronting the new cybersecurity coordinator, Howard Schmidt. He also explained why he feels the federal government must take the lead in securing America's key digital assets, despite the fact that much of the nation's critical IT infrastructure is owned by business.
Lewis also is the CSIS project leader for its Commission on Cybersecurity for the 44th Presidency, which issued a report that the Obama administration used as a blueprint as it developed its own cybersecurity policy.
As a senior fellow at CSIS, Lewis conducts writes on technology, national security and the international economy. Before joining CSIS, he worked as a foreign service officer and as a member of the senior executive service. His assignments involved Asian regional security, military intervention and insurgency, conventional arms negotiations, technology transfer, foreign investment and the defense industry, sanctions, Internet policy, and military space programs.
Lewis received his Ph.D. from the University of Chicago and has authored more than 40 publications on a range of topics since coming to CSIS, including: Assessing the Risks of Cyber Terror and Cyber War, Strengthening Law Enforcement Capabilities for Counter-Terrorism and Globalization and National Security.
ERIC CHABROW: The Commission on Cybersecurity for the 44th Presidency didn't go out of business with the issuance of its report.
JAMES LEWIS: I wanted it go out of business, but everyone else wanted it to keep going.
CHABROW: What's the Commission now exploring? What critical cybersecurity challenges are present today that weren't present a year or so ago?
LEWIS: You know we have a new administration and it is energetically looking at these issues. We have got a lot of activity on the Hill. I think there are 18 cybersecurity bills right now, whether any of them ever turn into law is another matter, but we have got a lot of ferment and a lot of activity. But, we have two large problems that are going to be tough for the U.S. to deal with; maybe it is even just one large problem. We are still handicapped in some ways by old thinking about how to approach cybersecurity. We kind of are saying things that we said in the Clinton administration. What we are going to try and focus on is saying: what was appropriate ten years ago is no longer appropriate; we need to rethink the environment for cybersecurity and we need to rethink the role of government in it. And, that is what we are going to be looking at.
Taming the Wild-West Internet
CHABROW: When you say we are still thinking the way things were back in the Clinton Administration, what was "think" back then and what should it be now?
LEWIS: I just heard somebody from the White House says this as we want cyberspace to be unconstrained and uncontrolled and to be like the Wild West because the Wild West was best for innovation and we need to keep the free and untraveled Internet to allow for continued innovation and that the Internet community would itself eventually come up with a solution to cybersecurity. I don't agree on two grounds.
First, innovation can occur in a secure environment. If you look at cars, the fact that we require cars to be safe doesn't mean people have stopped making better cars. It just channels innovation and in some ways it incentivizes it. The second thing is - I myself believed in this, let's wait for the Internet community to come up with a solution. I actually wrote that in 1996 for some White House report and it has been 14 years; it hasn't happened. It's time to move on.
We have got to go through sort of an ideological debate within the government about what the best approach is; we have to go through it as a nation. It is complicated by companies desire to avoid liability and the privacy community's desire to constrain government, and a whole set of things, but we are going to have to think about how do we make this a more mature environment for the economy to work in.
CHABROW: Do you know when the next report will be issued?
LEWIS: Hopefully, in the next couple of months; we had originally hoped to meet the one year deadline and naturally missed it. I think we are going to shoot for sometime in early spring. We are working on a set of recommendations now that look at identity management and look at situational awareness and look at international engagement and hopefully in the next couple of months the majority of the group will come to some consensus on it.
CHABROW: You mentioned international engagement, I don't know whether I am trying to stretch it a little bit but obviously the Christmas Day attempt to blow up the jetliner over Detroit suggested, at least in the physical world, more collaboration, better collaboration among our international partners. Is there a takeaway from that incident to cybersecurity?
LEWIS: The point is more collaboration is better; the answer is clearly yes. It is a global network, right? So there are some things you can do internationally but there are other things you have to do cooperatively with other countries and we haven't been willing to admit that for the last eight years or so. Now, we are going to have to say what is it we want to do working with other countries to make the Internet and to make cyberspace more secure? What's possible?
There is a whole set of precedents. We have something called ICAO, the International Civil Aviation Organization, that sets the rules for how to operate airlines safely, commercial airline traffic. We have the agreements with Interpol and the G8 on how to deal with international crime. There is an organization called the Financial Action Task Force, which is a group of countries that agree on how financial networks should be made more secure. We got all these mechanisms for other things and it is time to think about what would the mechanism be for cyberspace.
Absence of Politicalization
CHABROW: So far I haven't noticed any politicalization of information security, is that an observation you also have?
LEWIS: Yeah, that's what people say is that this isn't a partisan issue and whether it will become one I don't know, but so far you have seen good cooperation between Sens (Jay) Rockefeller and (Olympia) Snowe, for example, or Sens. (Joseph) Lieberman and (Susan) Collins, a lot of good work on both sides of the aisle so it doesn't seem to be a partisan issue. Whether that will change?
(Rockefeller, D.-W.Va., and Snowe, R.-Maine, are chairman and ranking member of the Senate Commerce, Science and Transportation Committee; Lieberman, D.I.-Conn., and Collins, R.-Maine, are chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee.)
Eventually, everything in America will become partisan down to the shape of whatever goes on top of the National Christmas Tree, but so far we have dodged it and hopefully we can take advantage of the grace period as a nation to get some useful measures through.
CHABROW: Now speaking of Sens. Rockefeller, Snowe, Lieberman and Collins, as you mentioned there are about a dozen and half, another kind I have heard is three dozen bills before Congress that deal with cybersecurity and Lieberman promises to introduce a comprehensive cybersecurity bill in the coming weeks. What role should Congress play in helping secure the government's and nation's key digital assets?
LEWIS: We've got a set of laws that were basically designed in the 1970s for copper wire networks that used rotary phones. These were in the days when alligator clips still made sense. Those laws aren't appropriate anymore; they don't work for privacy, they don't work for civil liberties, they don't work for security.
You have also got a whole set of questions - what should the Department of Defense be doing? What do we want on identity management? What do we want on critical infrastructure protection that really is going to require some legislative fixes? There is a lot that the White House can do without legislation, but at the end of the day Congress is going to have to make some fundamental changes in how we secure the communications infrastructure.
There is another role that tends to get discounted and that is the oversight role. Nobody was particularly happy with the warrantless surveillance program. Congress didn't do a good job of oversight. One thing that will be essential for better cybersecurity is giving people the comfort that someone is paying attention and make sure that the laws regarding privacy and civil liberties are being observed. Update legislation, provide oversight, there is a lot for Congress to do.
CHABROW: On privacy, I hear that there is some concern about updating the privacy law, which I guess is about 30 years old. Is there some hesitation there, afraid that certain protections might get weakened by doing so and other interests in there. What do you hear abut the potential of the privacy law being updated?
LEWIS: I think one of the problems we have got as a country is just that we have a whole lot of people who are good at saying no. One of my friends here in Washington says that it is like a hockey game where everyone is a goalie; so we are really good at blocking shots but we don't ever really score anything.
You know the larger comment that worries me for the country, and I think this is an example of it, is there are a little bit of risks that bringing the laws into the 21st Century will somehow be bad? Yeah, I guess so, if we lose control and don't manage the process. I think it is just not a good way to approach things to start out by saying, "I want to be like my grandmother when she drives on the interstate, I want to stay on the right side and go 20 miles an hour. You can tell you have hit a nerve right. I don't think that is risk.
One of the reasons our networks aren't secure is we have a lot of people who are always willing to say no. One of the reasons we don't have a rail link between the major international airport and the nation's capital is because we have been saying no for 15 years. The Chinese were able to build their rail link in three years. People can make the deduction themselves on which country is going to be more competitive. The same is true for cyber. Don't tell me why we shouldn't do something; tell me what we should do.
CHABROW: Are you optimistic in that this new session of Congress we will see some type of significant cybersecurity and/or privacy legislation?
LEWIS: No. No, I think what you are going to see are some very good bills introduced and a long series of debates leading up to the end of the year. And then the question is will midterm elections derail this or will they be able to get something through? You know the best time to ask that question will be in September when people come back, will we see things put up for a vote? It is possible. There are some really good ideas in the legislation and I hope some of them get through.
CHABROW: When you say that you expressed your concern about legislation not being enacted and you raised the point of midterm elections, is that because of other non-technology, other non-information security reasons why these bills won't come to a vote or will there be something in these Bills that may cause some political concern?
LEWIS: Well, I think both, probably more of the former. Congressmen have to pay attention to being re-elected. So sometime starting in probably August their attention will be focused on the election and that means the CPU time available for significant new legislation will decrease. The bills have a whole set of provisions in them. You know you have probably seen the Rockefeller and Snowe bill, some have controversial parts and some don't. The bills themselves are pretty good, the one's I have seen; certainly the Rockefeller-Snowe bill has some really great stuff in it. But the question is will the timing work out to be that Congress can get to them.
CHABROW: Anything you'd like to add?
LEWIS: With (cybersecurity coordinator) Howard Schmidt coming in at the start of the year with some presidential attention, and with a lot of activity at the agencies, we might see some improvements in the next year or so. I am actually a little optimistic.