Senate’s Cybersecurity Legislation Faces a Tangled Organizational Web- CQ Today
CQ TODAY PRINT EDITION – HOMELAND SECURITY
Nov. 3, 2009 – 8:18 p.m.
By Tim Starks, CQ Staff
In the coming weeks and months, the Senate will attempt to move major legislation on cybersecurity, a subject so sprawling that some suggest it is too complex for Congress to handle.
The latest effort comes from Joseph I. Lieberman, I-Conn., the Homeland Security and Governmental Affairs Committee chairman, who announced last week his plans for a bill that would create a Senate-confirmed White House adviser on cybersecurity. He wants to introduce his legislation next month with his panel’s top Republican, Susan Collins of Maine. But he and Collins do not agree on where in the government to place the official.
No fewer than five Senate committees have a significant role in cybersecurity, and virtually every committee has some kind of stake. Also playing a role is the House, where a more piecemeal approach is under way.
Cybersecurity is so broad a subject that any legislation raises questions of economics and trade, technology and regulation, government structure and privacy, foreign policy and national security.
“The issue itself transcends and touches almost everything we as a government do,” said Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute.
As such, it might be too big for Congress to handle effectively. “It’s a huge challenge,” said Larry Clinton, president of the Internet Security Alliance, a business group. “The Congress is badly structured to deal with cybersecurity issues.”
But Clinton said Congress could overcome its jurisdictional problems with such a wide-ranging topic, as it has with similarly broad topics before.
The legislative initiatives follow reports this spring that cyberspies from China, Russia and other countries penetrated the U.S. electricity grid. Even Congress itself has been hacked, and on the same day Lieberman detailed his proposal, Rep. Yvette D. Clarke, D-N.Y., was hosting a class of sorts for Capitol Hill staff members that was designed to shore up cybersecurity practices.
Already, the Senate Commerce, Science and Transportation Committee has gone through two drafts of its own cybersecurity legislation (S773), sponsored by Chairman John D. Rockefeller IV, D-W.Va., and his panel’s top Republican, Olympia J. Snowe of Maine. An aide familiar with the legislation said a final draft is likely to receive a committee markup in a matter of weeks.
Who’s in Charge?
The two Senate bills could be combined at some point, although what happens next is still unclear. The office of Majority Leader Harry Reid, D-Nev., has “encouraged all the committees to start working, whether in parallel or combination,” a Senate aide said.
One point of dispute in the Commerce Committee’s bill has been over how much authority the president should have to limit Internet traffic during an emergency.
There is another issue to be addressed by any final bill: Who’s in charge?
President Obama announced in May that he would appoint a cybersecurity chief in the White House. But months later and without a coordinator in place, some have grown impatient.
“The urgency for progress in cybersecurity remains, and, therefore, so does the need for the appointment of a qualified, credible, senior-level official to the cybersecurity coordinator post,” Phil Bond, president of TechAmerica, a technology industry group, wrote in a letter to Obama on Oct. 30.
Lieberman’s bill would create a Senate-confirmed White House adviser; the administration has not proposed confirmation for its coordinator. But Collins argues that the appointment of another “czar” is problematic, instead preferring the official be placed inside the Department of Homeland Security.
Existing cybersecurity efforts are difficult to coordinate because responsibility for the security of computer networks lies with a hodgepodge of the private sector, the Pentagon, Homeland Security and other agencies.
Another concern is how much to enforce private sector compliance with cybersecurity measures. A version of the Rockefeller-Snowe bill would establish enforceable cybersecurity standards. Lieberman and much of industry prefer an approach that provides incentives or encouragement for the private sector to upgrade cybersecurity.
Clarke said any legislation has the potential to backfire because technology is evolving so quickly.
“At the end of the day, we’re trying to protect the confidentiality, integrity and availability of data. But the location of the data is constantly changing,” said Clarke, chairwoman of the House Homeland Security Subcommittee on Emerging Threats.
“A few years ago, we could have written legislation mandating that all agencies erect firewalls,” she said. “Last year, we could have mandated that all agencies install intrusion prevention and detection systems. But with the emergence of new technologies like cloud computing, that method is quickly becoming obsolete.”
In the House, Democrats and Republicans on the Homeland Security Committee have proposed legislation (HR2195) that would give the Federal Energy Regulatory Commission (FERC) the authority to impose emergency regulations to protect electric utility cybernetworks and uphold the rules independently for up to 90 days.
Members of the House Energy and Commerce Committee introduced a bill (HR 2165) that would similarly expand FERC’s authority but would allow the commission to uphold the new regulations for up to a year. A subcommittee held a hearing on the bill last week.
Several other proposals are floating around Capitol Hill, such as boosting research and development funding, suggesting the need for a “cyber ambassador” who would work with foreign governments, and extending legal protections to companies that share information with the government about the vulnerability of their networks.