Congress Seeks Enhanced Cybersecurity OversightIntel Act Would Ensure Greater Congress-White House Cooperation
"The prior reluctance to invite Congress into the cybersecurity debate in a timely manner was to the detriment of what could have been a more cooperative and productive interaction between the branches," said a report issued this week by the Senate Select Committee on Intelligence, which unanimously approved the measure earlier this month.
Provisions in the Intelligence Authorization Act for Fiscal Year 2010 would ensure the White House makes Congress aware of significant legal, privacy and operational issues with respect to each new cybersecurity program. Funding for cybersecurity projects could be withheld if the executive branch proves uncooperative, according to the 80-page report the committee issued following adoption of the measure.
"The committee is troubled by the lack of situational awareness about the opportunities, activities and identities of cyber thieves or potential attackers on U.S. information networks," the report said. "This is a serious weakness and a source of frustration for those responsible for oversight and strategic decision-making. Unfortunately, it will not be easy to remedy this, as incentives to report cyber intrusions and vulnerabilities are generally negative in the U.S. government and private sector. The committee believes this must change so that cybersecurity leaders can make well-informed decisions and respond to problems quickly."
Some provisions of the bill, which must be approved by both houses, would require:
- Agencies to report to Congress the results of cybersecurity audits or reviews.
- Inspectors general of the Department of Homeland Security and the intelligence community to prepare a report on the sharing of cyber threat information within the federal government and with those responsible for critical infrastructure. The inspectors general should identify any barriers to sharing cyber threat and vulnerability information, and assess the effectiveness of current sharing arrangements.
- Intelligence community to detail an officer or employee to the Department of Homeland Security or the National Cyber Investigative Joint Task Force to assist with cybersecurity for a period not to exceed three years. "This detail authority, however, is restricted to a period not to exceed three years to prevent details from being used as an alternative to building expertise at civilian cyber defense agencies," the committee report said.
"It is clear that cybersecurity activities must be conducted with an expectation of particularly strong congressional oversight that will require solid executive branch planning before funding for multi-billion dollar programs are authorized and appropriated," the panel report said. "In addition, there must be a rigorous analysis of the government's use of legal authorities for national cybersecurity missions that preserve the reasonable privacy expectations of U.S. persons. The government's role must be well-defined as activities involving the Internet evolve."
Committee members, in the report, also called for:
- Boosting spending on cybersecurity research and development. "The cyber technology world is moving quickly, with cutting-edge technology expertise spread across the globe, and the United States cannot presume a clear-cut technology advantage as it has in other areas of national security."
- Improving international cooperation to develop a consensus on the type of cyber activities to be promoted, tolerated and censured. "An international framework on cyber warfare, much like international conventions on traditional warfare, is needed to govern this rapidly growing field."
- Increasing the government's focus on securing the U.S. critical infrastructure, such as the electric power grid, communications systems and financial networks that are crucial to the American way of life yet unacceptably exposed to cyber attack. "The government and the private sector must work together to share more effectively cyber threat and vulnerability information, and the administration and the Congress must work together to determine the best mix of mandates, incentives and other tools to improve critical infrastructure security."
- Changing U.S. immigration policy to offer expedited citizenship to certain foreign nationals studying in the United States who graduate with degrees in science, technology, engineering, and mathematics, with particular focus on computer science.
The panel, in its report, said its incumbent on the government to communicate to the public steps being taken to secure government and critical infrastructure IT. "Though some elements must be classified, it is important that the U.S. people understand the government's basic role in helping to secure information networks," the report said. "The general rules and expectations for government involvement, and how these may affect privacy, must be clearly explained."