Rep. Clarke: Slowdown on "Czar" BillsHouse IT Security Panel Chair Reluctant to Codify Cyber Aide
"I don't know that it's necessary at this stage to put it in statute," Clarke, D.-N.Y., who chairs the House Subcommittee on Emerging Threats, Cybersecurity Security and Science and Technology, said in an interview with GovInfoSecurity.com (transcript below). "I'm hesitant to rush into a whole lot of legislating around cybersecurity."
Instead, Clarke said, she'd like to see President Obama carry through in his promise of last May to appoint a White House cybersecurity coordinator, and then assess the situation. Then, the White House and Congress, working with the private sector, can determine what's truly needed and what needs to be legislative to safeguard the government's and the nation's critical IT assets. "Without having that coordinator, [it's] sort of putting the cart before the horse, basically trying to legislate in a vacuum, and I don't know that that's the most productive way of determining what's in our best interest at this stage."
In the interview, Clarke also discussed key elements of what she terms the National Data Breach Law and how far Congress should go to regulate private-sector IT and data.
Clarke represents one of the country's most ethnically diverse Congressional districts, New York's 11th in central Brooklyn, which includes some of the borough's most recognizable sites: Prospect Park, Grand Army Plaza, Brooklyn Botanical Gardens, Brooklyn Museum of Art and the Brooklyn Library. The 11th is the nation's third smallest Congressional district by area - 12.05 square miles - and the smallest represented by a woman.
The congresswoman was interviewed by GovInfoSecurity.com Managing Editor Eric Chabrow.
ERIC CHABROW: We're recording this interview in mid-October, and earlier today as part of your role as the panel's chair, you assembled a roundtable of some dozen-and-a-half cybersecurity experts from government and industry to get their perspectives on the IT security challenges the government and nation face. From what you heard and from your perch as chairwoman of the sub-committee, how secure are the federal government's information systems and networks?
YVETTE CLARKE: Not as secure as they should be. It's no secret that we've had a number of breaches of the .gov space. There have been a number of instances just within this past year. They've been a real invasive types of attacks on our government infrastructure. The good thing is that, we're becoming much more proactive in addressing these issues, but there's still much more work to be done.
CHABROW: It's been nearly five months since President Obama in his White House speech outlined his administration's cybersecurity policy which included a pledge to appoint a senior level White House cybersecurity coordinator, a position that remains vacant, and one I know you would like to see filled. How generally would you assess the president's performance on cybersecurity?
CLARKE: We have to give credit where credit is due. President Obama is the first president we've had that has really integrated the whole need for cybersecurity into his annunciation of national policy, and that gives a lot of hope and credibility to all the work that is being done, but now we need to see a bit more action from the administration with regards to this level of consciousness. There's definitely a need to see the cybersecurity coordinator imbedded at the White House, so that we can have much more dynamic interactions with the private sector and the security sector and government sector for the protection of our nation; our data, information, our intellectual property, our financial sector, and with the deployment of health IT, the deployment of the smart grid, it becomes imperative. One of the things that my office has done, is sent a letter to the president urging that he give this as much due consideration and that he expedites the decision making process around identifying and placing that coordinator over there at the White House.
CHABROW: Do you have any idea why it's taking him so long to not naming somebody?
CLARKE: I can't say why; I can say that the person who would fill this position has an extraordinary task ahead of them and must come with a very unique set of skills, so identifying and imbedding a person for this position must be somewhat of a burdensome task, but it's a task that we must do, and we must do it with all deliberate speed.
CHABROW: Do you see any damage done to the government's or the nation's IT infrastructure because we've gone now almost five months without a cybersecurity coordinator?
CLARKE: I don't think that would be the sole reason for any damage that may have been done. I think that each agency is really stepping up and building up it's own capabilities. The challenge without having that coordinator is not having the type of interoperability, information sharing, real-time information sharing and collaboration that is required to put up an all out defense and establish an offensive stance, is what the problem is. That person sort of becomes the accountable person, becomes the one that is able to cross all jurisdictions and really pull the pertinent information together to make decisions. That's where the challenge lies right now.
CHABROW: A lot of cybersecurity experts, including a commission last year advising the new president, recommended that the White House establish an office of cyber space. Do you feel that is something that should be done through statute, something Congress should enact?
CLARKE: I don't know that it's necessary at this stage to put it in statute. I'm hesitant to rush into a whole lot of legislating around cybersecurity. I would like us to get that coordinator in place, begin the process of sorting through all of the intelligence that we've been able to gather within our various agencies, pull in the private sector to see what substantive role they're playing in really developing the new software and technologies that are required for us to detect invasion and to prevent the extraction of information from our critical infrastructure, prevent attacks that are dangerous in nature that could set off catastrophic occurrences and use that space to then determine whether an office is most appropriate. I see us, without having that coordinator, sort of putting the cart before the horse, basically trying to legislate in a vacuum, and I don't know that that's the most productive way of determining what's in our best interest at this stage.
CHABROW: Are you familiar with several bills that are before the Senate now, one by Tom Carper, the other by Jay Rockefeller, that are addressing these cybersecurity issues?
CLARKE: We've heard about it, but we've not been able to acquire a draft of them as of yet.
CHABROW: Are you hesitant? You seem to suggest that maybe those kinds of bills may be premature, or am I reading something wrong in what you previously said?
CLARKE: I can say, from the House side, we have taken the posture of beginning with these types of discussions with the private sector. Looking at their suggestions right now about what would be helpful to them to really one-set standard that are sort of universal standards. For instance, out of our conversation today, there was a consensus, that FISMA (Federal Information Security Management Act) reform for instance, is something that is desired, and that could be helpful in setting a platform for true cybersecurity. There was also the conversation around information sharing, rethinking our motto of how that's done. There was also suggestions of establishing sort of a third-party, non-profit clearinghouse. It's sort of getting that creative thinking, all of the ideas out front and then from that perspective, looking at what other committees of jurisdictions are working with and then legislating from a basis of practical applications.
CHABROW: Do you think something like a FISMA reform can occur this year or at least next year?
CLARKE: We're looking more at next year.
CHABROW: In the coming months, what can we expect from your subcommittee in a sense of hearings?
CLARKE: One of the things that came out of today's conversation, was the fact that we need to sort of coordinate in every sector of the cyber world, for lack of a better term. We want to bring in some of our preeminent private sector folks around who manage data, who store data and talk about what's happening in terms of data breaches. One of the recommendations that came out of our conversation today was establishing a national data breach law. We also talked today about the need to address a national identity management plan, authentications. Those are areas we really need to look at in terms of IT protection, and how we can work with the private sector to create some parameters under which there will be constant review and constant reform, and one of the main areas that people talked about, is when we looked at legislation, is moving away from a compliant model to a risk-based model, because it's been the experience of people in the field, that compliance is way too static, when we're dealing with such a fluid and dynamic space such as the cyberspace, so that we look at establishing sort of risk-based standards. The management models that will flow from that will be much more in keeping with the nature of cyber attacks in cyber space.
CHABROW: Let me go back to something that you just mentioned a few moments ago. You talked about establishing a national data breach law. What would that include?
CLARKE: Wow, that's huge. You know, one of the things that came out of the conversation today is that, the food chain for data is extremely deep. The portals for collecting data, storage of data are numerous and vast, and that we need to look at just about every sector to really look at where those challenges lie. Whether it's the small business merchant that is taking in or exchanging data for the purposes of commerce or that data storage entity that has been attacked and has had all of our information stolen from, we need to get some real-time interactions with those entities to really craft a data breach law that is fair and that takes into account the various ways in which data is retrieved and sent through cyberspace, how it's intercepted, how it's stored and do what's most appropriate. We're going to have to do many more hearings before we can really establish what I would consider to be a law that 1, does not inhibit an invasion, but 2, creates a space and creates a parameters under which everyone can live and operate.
CHABROW: It sounds like to me, correct me if I'm wrong, that there is a role for government to revise some kind of regulation in how data is exchanged and stored. Is that what you're talking about here?
CLARKE: Well, yes, that was part of what came out of the conversation today, and I think that's why folks were really looking at FISMA reform, before we could do anything.
CHABROW: But FISMA reform would basically deal with how the government itself secures it's data or those who are [overlapping conversation] ...
CLARKE: .... Right, and they wanted -- I think some of the private entities there felt that that would sort of lay a framework for how you would then address that in a private sector as well.
CHABROW: There is a feeling among some people that obviously there's a reluctance within industry to have regulation, but there's also a feeling that there might need to be some kind of regulation to ensure cybersecurity, especially if private IT infrastructures are crucial, such as utilities, banking, things like that.
CLARKE: That's correct. It's really striking that balance that's going to be important here. Given the evolving nature of the data breaches, bring some uniformity to our expectations of how data is managed, dealt with and stored. I think everyone has come to that realization. It's just looking for sort of best practices and what makes sense, so that we don't again inhibit or dampen innovation and expectation, quite frankly, of the public of what they've come to utilize in their daily lives.
CHABROW: One more thing about these date breach law. Do you expect that you'll have hearings in your sub-committee or maybe the whole committee this year on that subject?
CLARKE: In light of some of the most recent occurrences, I will be checking to see if a calendar can accommodate it, because I think it is important for consumer confidence that we really look at what is happening with respect to our very vital information that's kept in these databases in corporations that manage our data. I don't know that the calendar for the rest of this year will permit it; I will certainly submit it. This is an area that we'd like to hold hearings on.