Standards, Regulations & Compliance
Cybersecurity Law: What Congress Can, Cannot Pass
Time Is Running Out for the 111th Congress to ActAnd if no vote occurs before the midterm election, as it now seems likely, the chances of a wide-ranging bill becoming law during a lame duck session diminishes should Republicans win control of either or both houses. It's not that GOP lawmakers oppose IT security reforms, they don't; they'd just want to control the congressional agenda.
"If the Republicans are successful in picking up some seats, they might be less anxious to go in and pass much in a lame duck session," said Sen. Tom Carper, the Delaware Democrat who chairs a Senate subcommittee with government IT security oversight and sponsored of several cybersecurity bills. "They'll just say, 'Well, we'll just wait and come back in January, when there are stronger numbers, and then reengage.' We'll see."
Making a firm prediction on what Congress may or may not do can prove risky. Some significant elements of cybersecurity reform could become law by year's end, perhaps as a rider to some other legislation such as the National Defense Authorization Act. For instance, provisions updating the way the federal government governs IT security by encouraging continuous monitoring of computers and networks instead of the current practice of checking off boxes to show compliance with federal cybersecurity rules could make it to President Barack Obama's desk as well as measures to increase funding for cybersecurity education, awareness and research and development.
Contentious Provisions
Yet, some provisions of a comprehensive cybersecurity bill remain controversial, such as requiring the government to purchase secure IT wares and the most problematic, what regulations the government should impose on businesses that control 85 percent of the nation's critical IT infrastructure.
Requiring the government to purchase IT tools preconfigured with security controls make sense to many lawmakers; the government already requires federal agencies to install Microsoft Windows operating system with defined security controls as part of its successful Federal Desktop Core Configuration initiative. But some vendors contend that if the federal government establishes minimal security standards for IT wares, because of its massive purchasing power, it would establish a de facto standard for those products in the overall marketplace. And, the cost of securing them could drive up their price tags and, perhaps, diminish sales. If the bill would include such a provision, a single senator could object, blocking a vote until supporters could muster 60 votes to override the objection, an obstacle rarely cleared this year.
Another provision that could prove problematic is how much authority Congress should grant the government to direct the private sector on how to secure the critical IT infrastructure they own and operate. It's a dicey matter trying to balance regulation to assure critical networks are secure and the right of businesses to operate their own infrastructures without government interference. People familiar with the legislative process say there is general consensus that whatever regulatory regime is adopted, oversight would remain with existing regulatory agencies with the Department of Homeland Security providing guidance, unless regulators want DHS to take the lead.
Also, there's no consensus on the role the National Security Agency should perform in securing the critical IT infrastructure and civilian agencies' IT. The NSA, the electronic spy agency that's part of the Defense Department, has more expertise in cybersecurity than any organization in or out of government, but many lawmakers feel uncomfortable giving a direct role to a Defense Department agency to engage in cyber protection of non-military and intelligence networks.
White House Hesitance
And, to some, the White House is seen as a barrier to quick congressional action on a comprehensive cybersecurity bill. People knowledgeable about the legislation say the Obama administration hasn't formally weighed in on the legislation before Congress, a point a White House spokesman disputes. No one doubts the administration's commitment to enhance information security, and Cybersecurity Coordinator Howard Schmidt is credited with aggressively working toward that end. But there's little evidence that the administration is as insistent on IT security legislation being enacted in 2010 as it is on other ways to shore up digital safeguards. The White House declined to make Schmidt or another administration official available for comment on its cybersecurity legislative agenda.
"The White House could help drive this; the White House could get up and say we need this," said former Rep. Tom Davis, the Virginia Republican who coauthored the Federal Information Security Management Act and the E-Government Act. "There's no immediate political value in pushing your green stamps on this because the public is pretty oblivious to this."
Dan Chenok, chairman of the federal Information Security and Privacy Advisory Board, said Schmidt and his team are focused on a wide variety of cybersecurity issues such as developing partnerships with industry to secure the nation's critical IT infrastructure and beefing up the Department of Homeland Security's cybersecurity abilities. "They're trying to do a lot of things in the cyber arena within the administration, and it's taking a lot of their focus to get that done," he said. "Every hour they spend on legislation takes time away from that."
Melissa Hathaway, who led President Obama's cyberspace review in 2009, said the White House is working with government agencies to identify cybersecurity reforms that could be incorporated in legislation to be introduced in the next Congress. "I just don't think they've come to an agreement on all of the things they would like to see to put forward into comprehensive legislation," she said.
Focus on the Senate
The House enacted its version of comprehensive cybersecurity legislation - though the word "comprehensive" could be debated - when it approved the National Defense Authorization Act, a bill that generally sanctions various military programs but is a popular vehicle for amendments known as riders that include other matters because the legislation nearly always passes. One of the provisions attached to that bill would establish an Office of Cyberspace in the White House with a Senate-confirmed director.
Thus, much of the focus is on the Senate, where Majority Leader Harry Reid, D-Nev., has asked the committees with IT security jurisdiction - several dozens committees and subcommittees have some type of IT security jurisdiction - to come up with a compromise bill. The staffs of the two key committee's involved - Homeland Security and Governmental Affairs and Commerce, Science and Transportation - have been working on reaching a consensus bill since the summer, and have made progress. But not all issues have been resolved, and for the most part, the other committees with jurisdiction - such as Armed Services, Foreign Affairs, Judiciary, Intelligence and State, to name a few - have yet to weigh in. And, Reid didn't scheduled a vote on a comprehensive cybersecurity bill before the election.
"It's a timing issue with the election coming up," said Jim Lewis, senior fellow at the Center for Strategic and International Studies and project leader of the Commission on Cybersecurity for the 44th Presidency. "The ability to get members' attention to cut the deal that you would need to get the bill is limited now."
The focus of the negotiations center on two bills - the Protecting Cyberspace as a National Asset Act sponsored by Sens. Joseph Lieberman, ID-Conn.; Susan Collins, R-Maine; and Carper; and the Cybersecurity Act championed by Sens. Jay Rockefeller, D-W.Va., and Olympia Snowe, R-Maine. Like information technology itself, a comprehensive cybersecurity bill is very complex, and addresses dozens of different challenges. Simply, and it's often dangerous to over simplify, the comprehensive bill spotlights two areas: how best the government secures its own computers, systems and networks (Lieberman-Collins-Carper) and what role the government should perform in regulating the nation's critical IT infrastructure, 85 percent of which is owned and operated by business (Rockefeller-Snowe). Both bills, though, do a lot more than that.
The What Ifs
Should the Senate should pass any cybersecurity legislation this year, it would need to be considered by the House. The simplest way to get some cybersecurity legislation enacted would be for the Senate to pass the National Defense Authorization Act in the lame duck session, with a House-Senate conference committee ironing out their differences. An attempt last week by the Senate to vote on the defense bill was blocked by a Republican filibuster because it included a provision to repeal the Don't Ask, Don't Tell law that prohibits gays from serving openly in the military.
If no bill passes this year, not all will be lost. Davis said there is much the administration can do - and is doing - on cybersecurity, such as reforming FISMA rules to require continuous monitoring of IT systems. "The administration wants to act and make this a priority, the only thing you need from Congress is money," he said. "So, there is nothing to stop OMB (Office of Management and Budget) or an executive board or something from taking this and ordering the bureaucracy: 'This is what we do.'"
And, there's always 2011. Legislating is an evolutionary process that often progresses slowly from one Congress to another. "One thing that we did that was good is that we raised the profile of the issue," Lewis said. "Now, nobody won't say cybersecurity is a problem, and that's a positive thing. ... We bumped it up on the agenda; we got people talking about it. That's how it goes in a democracy; we're going to have to talk for a few years."