Tom Carper on Cybersec Bill's ProspectsSenator Discusses Ways Infosec Measure Could Clear High Hurdles
In an interview with GovInfoSecurity.com (transcript below), the Delaware Democrat who chairs a Senate panel with cybersecurity oversight says with the forthcoming midterm elections and political bickering, getting any legislation - even an IT security bill with bipartisan support - presents a major challenge. "I could introduce a resolution, and say that Labor Day comes in the month of September, and I'm unlikely to get 60 votes for that," Carper says.
No one says Congress definitely will not enact comprehensive cybersecurity legislation this year, though most people in the know - including Carper - say it's highly doubtful, especially before the election. Still, Carper says, elements of the bill - perhaps his provisions to change FISMA to require continuous monitoring of agency IT systems - could be attached to another bill, such as the National Defense Authorization Act, an annual bill that primarily deals with military programs but is used as a vehicle for unrelated legislation because it always passes Congress.
In the second of a two-part interview, conducted by GovInfoSecurity.com's Eric Chabrow, Carper also discusses efforts underway to get the bill enacted and why some influential senators want to give the Department of Homeland Security more sway over civilian agencies on cybersecurity compliance.
In part one of the interview, Carper assesses the Obama administration's performance in safeguarding federal IT assets.
Carper chairs the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.
In a early 2009 interview with GovInfoSecurity.com, Carper detailed the approach he believes the government should take to defend its digital assets, including reform of the Federal Information Security Management Act, the law that governs federal government IT security compliance.
ERIC CHABROW: When we spoke a year and a half ago, you expressed confidence that your cybersecurity bill to reform FISMA (Federal Information Security Management Act) would be enacted the end of 2009. Since then, dozens of cybersecurity bills have been introduced and your measure is being incorporated into a larger omnibus bill. Why is it taking so long for the Senate to pass significant cybersecurity legislation?
SEN. TOM CARPER: It's taking a long time to pass almost anything. I could introduce a resolution, and say that Labor Day comes in the month of September, and I'm unlikely to get 60 votes for that, but to get anything done, we have a lot of nominations. And even still, this administration, and we're about 20 months into this administration and we have scores of positions for which people are nominated, good people, but they still haven't been confirmed. I think I'm told close to 100 judicial seats around the country, those are judicial seats that are unfilled. Some of them, the president has nominated somebody, but in a lot of the cases, he hasn't. It's just really a difficult environment to get anything done. I think that as much as anything else.
And on the cybersecurity bills, there's a bunch of them that have been introduced. You mentioned FISMA legislation but you have in the Senate, Sen. Jay Rockefeller, Sen. Olympia Snows, who have introduced cybersecurity bills, we have some others that have been introduced in the House. And folks on the Judicial Committee have their ideas and Armed Services have their ideas. But our leader, our majority leader in the Senate, is attempting to make sure that the Commerce Committee and the Homeland Security and Governmental Affairs Committee, which Joe Lieberman chairs, that we work out our differences, and we're making a lot of progress. I think the idea is to take that sort of, that work, and work with a couple of other committees that have an interest in these issues and some jurisdiction, and come up with a consensus bill. And the question is, do we try to then pass that on its own, or do we try to maybe offer it as part of the National Defense Authorization Act of 2010. But, it's hard to move almost anything by itself, because you move a separate bill, like on cybersecurity, it's open to an amendment. Any number of amendments can be offered to it, it's like fair game, and people try to stick stuff that is related to cybersecurity, people try to amend it with their favorite issue. It can take a long time to get things done. Then we have to go through filibusters and break filibusters. It's not easy.
CHABROW: You mentioned the National Defense Authorization Act, and that's what the House of Representatives did. They attached, basically, their cybersecurity legislation to that. Is that a good vehicle to use, and a likely one? Because obviously, Congress is going to have to enact the National Defense Authorization Act, and then it can be easier to deal in conference between the two versions of the cybersecurity measures in that?
CARPER: Yeah, I think we need to ask ourselves a couple of questions.
One, it is hard to get a measure like our cybersecurity legislation passed on its own. I think it's going to be difficult. What legislation might ... likely to be enacted that would be a logical place to amend or attach cybersecurity legislation. I think this is a national security issue. And, the bill, if we are to attach it to the National Defense Authorization Act, I think that is actually a place that makes a lot of sense.
The other thing that makes sense is it is very likely that it will pass the defense bill. And I think it is arguably interested in defending our intellectual property rights, if we are interested in protecting our identity, if we are interested in protecting our weapons systems, our weapons plans, and that kind of thing. It works on a couple of different levels. The fellow who chairs of the Armed Services Committee is Carl Levin. He is also on Homeland Security, and the fellow who is a ranking Republican on the Armed Services Committee is John McCain. He is also on the Homeland Security. In fact, he's the ranking Republican on the subcommittee that I chair that has done a whole lot of work on cybersecurity.
CHABROW: That's interesting that you mention McCain, because I believe he has some reservations about giving the Department of Homeland Security certain authorities over other civilian agencies on there are budgets that deal with cybersecurity, as well as other areas of enforcement. And I know that Sen. Collins, who is the sponsor of another bill, along with Sen. Lieberman, feels very strongly about the role that the Department of Homeland Security should play in overseeing federal civilian agency's cybersecurity compliance. So what are your feelings about that?
CARPER: Susan is the ranking Republican on the Homeland Security full committee, and Sen. Lieberman is the chair; they've both been ranking members and both been chairs from one time to the other. It's not unusual for the chair of a particular committee, or the ranking member on a particular committee, to want to exert their committee's jurisdiction more broadly, and to look for opportunities to do so. Some would say it's a parochial matter. Well, yeah, that's part of it. In my own view, it just makes sense, and it would create in the Department of Homeland Security, the idea was that we weren't going to get it right the first time, it's a big, complex bunch of issues, part of homeland security. My own view, given the growing threat from cyber attack, and to have the kind of specialty and expertise in Homeland Security that could be extended to a wide range of federal agencies, setting aside the parochical concerns, I just think it makes sense. For me, it just passes the common sense test, as well. So, we'll see.
CHABROW: What is holding up a compromise bill for this session of Congress, whether it goes with the Natinal Defense Authorization Act or a standalone, or something else?
CARPER: I think the thing that was standing in the way before is we weren't really sitting down with the Commerce Committee, with Sens. Rockefeller and Snowe, and their people, and we have been doing that for a couple of months now. We've made great progress. I think we are very close to where we need to be in developing a joint proposal. And, as I said earlier, there are a couple of other committees that have some interest in these matters and some jurisdiction in these matters. And, once the two principal committees, Homeland Security and Commerce, have found their common ground, I think the idea is to shop this proposal with a couple of the other committees, and see if we can get them to sign off for a little bit, and then we will be on our way, we need it to run as a separate bill, or to try to include it as an amendment to the defense bill, or maybe to do both, to see which approach works.
CHABROW: Will there be significant cybersecurity legislation enacted by Congress this year?
CARPER: You know, if I knew the answer to that question, I'd probably be in another business. I mean, it's hard to say. The need is great. This is a concern, protecting our sensitive information, our intellectual property rights, our financial information, weapons secrets, protecting that from criminal groups or from hackers, or from sovereign governments. It's not a Democratic or Republican issue, this is one that crosses boundaries. Even going through an election year, people will say, "You know, this is a big deal. We aren't going to agree on much else, but this is something that we ought to try to agree on now." Hopefully, that rational thinking will take charge. And even if it doesn't, then I think that we need to try again, to get the bill as an amendment to the National Defense Bill, and see what happens.
CHABROW: The defense authorization bill, that would need to be passed before Congress goes off for the election?
CARPER: Yeah. We try to do that before Congress goes out for the election. The defense bill is one that can be amended broadly. Sometimes we've spent literally weeks working on the defense bill. ... The question is, in the four weeks that we are going to be in session ...will be able to devote a full week, for example, to the defense bill, when we consider everything else that we are doing. If we can't get it done then, I guess we can always come back after the fact. I think my preference, and I think the preference of most of us, I think is to get it done before we break for the election.
CHABROW: Would the results of the election dictate what kind of legislation, including cybersecurity legislation, that could be done during a lame duck session?
CARPER: Most people expect Republicans to pick up some seats, and I think that's likely, it usually happens in this kind of off-year election. If the Republicans are successful in picking up some seats, they might be less anxious to go in and pass much in a lame duck session. I think that if they pick up a lot of seats, which is possible, but I don't think likely, but if they should pick up a lot of seats, then I think they would be reluctant to really do much of anything. They'll just say, "Well, we'll just wait and come back in January when there are stronger numbers, and then reengage." We'll see. There's some issues that I think, and cybersecurity I think, is one of them, that is less of a partisan issue and just more of a national security issue, that we ought to do sooner rather than later, and I hope we simply will.