Standards, Regulations & Compliance

What Next? Cybersecurity Legislation in the Senate

Cybersecurity Bill Making It to Oval Office is Far From a Sure Bet
What Next? Cybersecurity Legislation in the Senate
With the House passing the Cybersecurity Enhancement Act last week, add one more major piece of cybersecurity legislation for the Senate to consider. Even with its near-unanimous vote, there's no guarantee that bill or any significant cybersecurity measure will pass the Senate and be signed into law by President Obama this year.

"What you are going to see are some very good bills introduced and a long series of debates leading up to the end of the year," said James Lewis, senior fellow at the public policy group Center for Strategic and International Studies. "And then the question is: Will midterm elections derail this or will they be able to get something through?"

In the Senate during the 111th Congress, four other cybersecurity bill have been introduced:

    S 773: Known as the Cybersecurity Act of 2009, the measure among other things would provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption. Among all the Senate cybersecurity bills, this measure is most like the House-passed Cybersecurity Enhancement Act. Sponsored by Sens. Jay Rockefeller, D.-W.Va., and Olympia Snowe, R.-Maine, chairman and ranking member of the Committee on Commerce, Science and Transportation, which the bill had been assigned.

    S 778: This measure would establish within the Executive Office of the White House the Office of National Cybersecurity Adviser. Also sponsored by Rockefeller and Snowe, this bill was assigned to the Committee on Homeland Security and Governmental Affairs.

    S 921: Called the United States Information and Communications Enhancement Act, or U.S. ICE, it primarily would update the 8-year-old Federal Information Security Management Act, which provides the blueprint for federal departments and agencies to secure their IT assets. Sen. Tom Carper, the Delaware Democrat who chairs the Senate subcommittee with cybersecurity oversight, is the bill's chief sponsor. The measure was assigned to the Committee on Homeland Security and Governmental Affairs.

    S 1438: This bill would require the Secretary of State to submit a report to Congress on improving cybersecurity, encourage international cybersecurity cooperation and develop safeguards to protect privacy, freedom of speech, and commercial transactions for inclusion in cybersecurity agreements. Sponsored by Sen. Kristen Gillibrand, D.-N.Y. The bill was assigned to the Committee on Foreign Relations.

And Sen. Joseph Lieberman, who chairs the Senate Homeland Security and Governmental Affairs Committee, has promised to introduce a comprehensive cybersecurity bill shortly.

The House-passed Cybersecurity Enhancement Act, HR 4061, hasn't been assigned to a Senate committee, but Rockefeller's panel is its most likely destination because it gives added cybersecurity responsibilities to the National Institute of Standards and Technology; the Commerce Committee provides NIST oversight.

Comparing Bills

Contrasting one bill against the others is akin to comparing apples, oranges, bananas and kiwis. They're complementary; they all aim to strengthening government IT security. But they each focus on different areas of cybersecurity, though overlaps among the bills exist. And at least three committees in the Senate have been granted jurisdiction over some aspects of cybersecurity.

Senate Majority Leader Harry Reid, D.-Nev., has called on his colleagues to work together to produce a single cybersecurity measure, and they seem amenable to that idea. It's presumed, though not guaranteed, that Lieberman's committee would vet an omnibus cybersecurity bill. But such cooperation is easier said than done.

"Predicting legislative action leads to lots of wrong answers," Alan Paller, research director at SANS, said. "What I know is that Sen. Reid gave Sen. Lieberman the lead on cyber for this session of Congress. Rockefeller and Snow are much more tuned to the research and education initiatives, so they are likely to provide a big chunk of the content of the bill, and Carper's work is also excellent and will help shape the ultimate bill."

Still, a former chief technology officer of a major federal department who held other top-level government IT posts said he believes the House-passed bill or a Senate version of the legislation could pass on its own. The Cybersecurity Enhancement Act, in part, updates the High Performance Computing Act of 1991 that strengthens the role of the National Coordination Office - part of the White House Office of Science and Technology Policy - to coordinate cybersecurity research and development. "I see the House bill as a standalone and tied to the HPC Act of 1991, not likely to be tied to FISMA," the onetime CTO said.

A final decision on the legislation likely will occur during hard-nosed negotiations held behind closed doors in once smoke-filled rooms. The negotiators will include the key cybersecurity bills' sponsors, aided by their staffs. The Obama administration's new cybersecurity coordinator, Howard Schmidt, spent part of his first week on the job last month meeting with some of these players, and likely told them what the White House would like to see in a cybersecurity law. "I imagine Howard would be personally involved representing the administration's priorities in this area to the Senate," former federal CIO Karen Evans said.

But, as seen in the healthcare legislation, it's what the members of Congress want in a bill, and not necessarily the provisions the president seeks, that gets in the final version. Still, as Carper said last year, in shaping legislation, Congress would want to produce a bill the president will sign. "Sometimes we focus a whole lot on just getting something through the Senate without thinking about the executive branch or thinking about the House, and it has got to be that we think of those two as well, the administration and our House colleagues," Carper said in an interview with GovInfoSecurity.com.

Horse Trading

Though there's general agreement among lawmakers for the need for new laws to help secure the government IT systems and the nation's critical IT infrastructure, elements to any comprehensive cybersecurity measure will be a challenge to piece together. "I am sure there is a lot of horse trading around various items in the bills," a former Department of Homeland Security senior IT leader said.

The puzzle piece that's received the most attention this past year is how high up in the White House hierarchy should the president's IT security adviser be positioned? Schmidt does not report directly to the president, though President Obama has promised to meet with him from time to time. Schmidt reports through the national security adviser. Some lawmakers feel the current situation is fine; others, like Rockefeller and Snowe, seek to establish an Office of Cybersecurity with its Senate-confirmed chief - the current post requires no Senate approval - reporting directly to the president.

Another thorny issue is how much authority should be given to the Department of Homeland Security in overseeing other civilian agencies' cybersecurity budgets. One version of Carper's bill does just that, though it's unclear whether that provision remains. The role the National Security Agency plays in monitoring Internet traffic to and from government sites is another issue where agreement isn't guaranteed.

A potentially most divisive issue could be how much regulation the government should impose on businesses controlling the nation's critical IT infrastructure - about 85 percent of such IT systems are controlled by the private sector - a subject that could cripple a comprehensive cybersecurity bill. "If the bill starts to get heavily laden with new regulatory requirements or pull-the-plug language" - a reference to a provision in the Rockefeller-Snowe bill to authorize the president to shutter Internet traffic to and from federal systems in a cyber emergency - "then the legislation will get bogged down," said Greg Garcia, former DHS assistant secretary for cybersecurity and communications.

Still, the major roadblock to enactment of a cybersecurity law this year is all the other stuff going on in the nation and the world. Creating jobs, reforming healthcare insurance, fighting two wars and battling global climate take up a lot of bandwidth of the Senate, House and the president.

And then there's the November election for all of the House and one-third of the Senate seats. "Congressmen have to pay attention to being re-elected," CSIS's Lewis, who also serves as the project lead of the center's Commission on Cybersecurity for the 44th Presidency, said in a recent interview with GovInfoSecurity.com. "So sometime, starting in probably August, their attention will be focused on the election, and that means the CPU time available for significant new legislation will decrease."


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.