Standards, Regulations & Compliance
Lawmaker: Pressing Need for Cybersecurity LawMcCaul Sees Colleagues as Failing to Grasp Urgency of Cyber Threat
"When you look at what the threat is ... when you think about the fact that every federal agency has been hacked into and enormous amounts of data have been stolen, mostly espionage, we really don't have a whole lot of time to act," McCaul said in an interview with GovInfoSecurity.com.
The Texas Republican earlier this month joined Rep. James Langevin, a Rhode Island Democrat, in introducing the Executive Cyberspace Authorities Act of 2010, a bill that would establish a National Cyberspace Office in the White House, with its Senate-confirmed director having sweeping authority of the IT security budgets of federal civilian agencies. Both lawmakers have much in common: they co-chair two cybersecurity panels: the House Cybersecurity Caucus and the Commission on Cybersecurity for the 44th Presidency, the bipartisan panel sponsored by the Center for Strategic and International Studies.
McCaul, in the interview, offer a scenario in which authorities nabbed foreign spies caught inside the Pentagon pilfering top-secret papers. "Imagine the alarm that would cause across the nation," he said. "Yet, in the virtual world, that is happening every day and so much data has been stolen; it rivals the amount of the data in the Library of Congress. This is not some hypothetical game."
Creating an Office of Cyberspace within the White House that's answerable to Congress would provide the leadership urgently needed to help combat the cyber threats to the government's and nation's critical information systems, said McCaul, who represents the Austin area. "A lot of people don't understand the issue very well, but whether it's espionage or whether it's cyber warfare, 30 countries are actively developing cyber warfare programs. This is a serious issue," he said. "We are kind of beyond listing a hypothetical world in the terms of cyber. This is the real stuff and it can cause real damage."
In an interview, conducted by GovInfoSecurity.com's Eric Chabrow, McCaul explains the:
ERIC CHABROW: Rep. James Langevin and you introduced the Executive Cybersecurity Authorities Act of 2010. The bill would establish an Office of Cyberspace in the White House, with its director to be nominated by the president and confirmed by the Senate. The measure also gives the director sweeping authority to approve and review the IT security budgets of civilian agencies. Why give the cyberspace director such broad authority over the cybersecurity spending plans of civilian agencies.
MICHAEL McCAUL: Without the requisite authority, they can't carry out the mission. The one thing the Commission on Cybersecurity for the 44th Presidency, through our recommendations to the president, with respect to this position. which was kind of the No. 1 recommendation, was that these agencies aren't coordinating. They are not working together, so the offensive capabilities through the cyber warfare, cyber operations are not working with the agencies cast with defensive capabilities. ... It had to be all the way to the White House to have the imprimatur of presidency. Without that authority given to this person with some budgetary ... they really can't carry out the mission. That's precisely in my view why Melissa Hathaway probably ducked out; she was set up to fail in this position without given the authority to carry out the mission. Then that's why Howard Schmidt, who is the current White House cyber coordinator, and (if he were) Senate confirmed, it also provides a civic burden on him to come in and report to Congress. And our worries right now is that really he doesn't' have that burden on him.
CHABROW: Is there a problem with getting congressional support for some cybersecurity initiatives with the ability to question what some people consider the most senior person in government dealing with cybersecurity?
McCAUL: Yes, I think right now the way it stands is that the cybersecurity coordinator doesn't really report to the Congress, and that is the whole point of this new Office of Cyberspace to coordinate with the relevant agencies, and then report back to the Congress about what is happening. It elevates the seriousness of the issue of cybersecurity, which when we had our hearing and talked to the high levels of the military, this is probably one of the biggest threats we face in this century, in terms of not only criminal cyber attacks, espionage but more important cyber warfare. So this needs to be elevated to the highest levels in our view, and this person needs to have the requisite authority to carry out the mission and at the same time report to the Congress, because right now the way it is set up in the White House, we talked to Howard Schmidt and he doesn't have any reporting requirements to come to the Congress and tell us what he is doing.
CHABROW: What is the likelihood of this bill getting passed this year? I mean obviously it's getting hard to pass anything these days in Congress and most cybersecurity, and also most cybersecurity legislation in Congress really hasn't gone very far?
McCAUL: Dan Lipinski and I passed the cyber bill out of the House, this Congress first time in a while we've seen a major piece of cybersecurity legislation get passed and gets in the Senate. You've got (Rockefeller-Snowe) bill out there, I am hopeful we can get somebody get that together conference committee. This bill, I just talked to Jim Langevin, we've got a congressman the Democrats from Rhode Island and I had this very conversation with him. They're in the majority, I'm not, and I said: What are the chances of us pushing this through? And, he was very optimistic. I will say as I think the administration, while they may not come out championing or advocating for it, at the same time I think they will not certainly be against it by any means. One thing the president did do, after our recommendations came out, was he came out with a press conference and adopted many of the recommendations including this position, but the failure in my judgment was not to give this position again the authority it needs to carry it out. If you don't have the credibility in terms of authority and budgetary authority, it's just a nice meeting to have with NSA or DoD or Homeland Security, but if you don't have any leverage they're not as likely to do what needs to be done.
CHABROW: Can this bill, a measure like yours, be incorporated into a bill such as the Cybersecurity Enhancement Act; would that be appropriate?
McCAUL: If Congressman Langevin and I can get this through the House as well, then I think what you could see from a procedural standpoint is something coming out of the Senate. If you look at some of the Senate bills, they also make similar recommendations about this position. The White House having an office of cybersecurity, which we clearly need, and I think there is good opportunity here that possibly to marry those two bills and kept the ones that come out of Senate, and the conference committee achieves that goal.
CHABROW: So what odds would you say some kind of cybersecurity legislation will be enacted this year by Congress?
McCAUL: Yes, that's our hope. I'm not in the majority so I can't draft the agenda, but I can work with it. I've worked very closely with the majority to try to get these bills passed because they are so important.
We really don't have a whole lot of time to wait on these things. When you look at what the threat is, as we had our hearings, when you think about the fact that every federal agency has been hacked into and enormous amounts of data have been stolen, mostly espionage. We really don't have a whole lot of time to act. The Pentagon was hacked in to. Imagine its like agents of a foreign power were caught stealing paper files out of the Pentagon; imagine the alarm that would cause across the nation. Yet in the virtual world that is happening every day and so much data has been stolen, it rivals the amount of the data in the Library of Congress, so this is not some hypothetical game.
A lot of people don't understand the issue very well, but whether it's espionage or whether it's cyber warfare, 30 countries are actively developing cyber warfare programs. That is a serious issue. Some are our friends and some are not. Imagine Iran if we pass the Iran Sanctions Act, and Israel threatens them if they respond with a cyber attack; they could do a lot damage. We are kind of beyond listing a hypothetical world in the terms of cyber. This is the real stuff and it can cause real damage.