Obama Cybersecurity Package Praised, Criticized
Senators Like Most of Package, But Question Specific ProvisionsAt a hearing Monday of the Senate Committee on Homeland Security and Governmental Affairs on the White House cybersecurity legislative package, the panel's ranking Republican, Susan Collins of Maine, also faulted the president's proposal that would create an evaluation process that could disclose the identity of companies operating critical IT systems that fail to meet cybersecurity standards. "I don't want to give those who would do us harm a roadmap to attack our critical infrastructure," she said.
Collins and Sen. Joseph Lieberman, ID-Conn., also said the administration package didn't go far enough to provide liability protection to companies that take steps to safeguard their IT systems but fall victim to attack. "Failure to do something on liability could prevent passage," said Lieberman, who chairs the committee.
And, Lieberman noted a major difference between the administration legislative package and the comprehensive cybersecurity legislation he's sponsoring with Collins and Sen. Tom Carper, D-Del. (see Senate Bill Eyes Cybersecurity Reform): The Senate bill would provide for a Senate-confirmed presidential cybersecurity adviser, who also would report to the Secretary of Homeland Security. "We just believe that the stakes are too high, when it comes to cybersecurity for our country, that whoever holds this position should be confirmed by the Senate and therefore be accountable to Congress," Lieberman said. No senator asked administration officials during the hearing why the president does not want a Senate-confirmed cybersecurity director.
Still, Lieberman, Collins and Carper generally praised the White House proposal unveiled May 12 because it mostly parallels their bill, including giving Homeland Security authority over civilian agency IT security. The three senators - the only lawmakers to attend the hearing - were effusive in lauding the administration on how various cabinet departments collaborated to help produce the president's legislative package. In an unusual move, the four administration witnesses - from the departments of Commerce, Defense, Homeland Security and Justice - submitted a single version of their prepared testimony.
Presidential Authority Raised
Last year, the senators came under attack for supposedly proposing in an earlier version of their bill an "Internet kill switch" that would allow the president to shutter the Internet in a national emergency, something their legislation did not do (see Senators: No Internet Kill Switch in Bill). Yet, when they redrafted their bill in the new Congress, the legislation specifically bars the president from shutting down the Internet and requires the protection of freedoms for Americans online. Similar language does not appear in the Obama bill.
DHS Deputy Undersecretary Philip Reitinger testified last year said such a provision wasn't needed and that the administration relied on the Communications Act of 1934 for presidential power to protect critical IT systems in an emergency (see Administration Declines to Back Cybersecurity Bill). Collins on Monday said she recently read the relevant section of the 77-year-old law, and contended the power it grants the president is anachronistic and too broad. She said the Communications Act allows the president to close down radio stations and seize their equipment during war or a national emergency, adding that she was befuddled why the administration hadn't proposed provisions to address contemporary technology and political norms.
Reitinger, who said neither the administration nor the senators sought additional emergency powers for the president, conceded that the Communications Act is outdated, but said the administration also relies on other authorities to protect the nation's critical IT infrastructure such as its cyber incident response plan. "This is a critical area where different people have different ideas on how government should be empowered," he said, adding that this is a point of negotiation.
Still, Collins said she was perplexed: "We should think ahead of what authorities the president should have and not be ambiguous or rely on law of take over radio stations."
Name and Shame
The administration bill also would have the private sector work with the government to establish criteria to safeguard critical, privately run IT systems such as those supporting banking, power distribution and transportation, and create an independent entity to evaluate performance and publish the results.
Collins characterized that as "name and shame," and preferred the Senate bill's approach that would have DHS sanction those who don't meet security standards. "Aren't you providing valuable information to cybercriminals and terrorist groups or nation states trying to probe our systems?" she asked. "I'm surprised you want that to be public."
Reitinger responded that only the companies would be identified, not specific facilities, and only a high-level description of the weakness would be made public so security wouldn't be impaired. He said market-based pressures from other businesses, potential customers, including the government, should get critical infrastructure providers to comply with security standards.
Also at the hearing, Ari Schwartz, National Institute of Standards and Technology senior Internet policy adviser, said the primary purpose of the administration's proposed data breach notification bill (see Obama Offers Breach Notification Bill) wasn't to punish companies that were hacked but to provide quick notification of breaches to consumers.
Lieberman suggested that the Senate is fast-tracking cybersecurity legislation, saying there's bipartisan cooperation to get it passed. "It's the most important piece of legislation coming out of committee in this session," he said.
The senators and administration representatives that included Robert Butler, Defense deputy assistant secretary for cyber policy, and Jason Chipman, senior counselor to the deputy attorney general, pledged administration cooperation with lawmakers to produce a final bill.