With cyber czar in place, lawmakers continue legislative push

For the better part of a year, it seemed that virtually every debate and discussion involving cybersecurity centered on the so-called cyber czar: Who would it be? How much power would the czar have? What would the official’s responsibilities entail? Why was it taking so long to name someone? Should he or she even be called a czar?

But even with the appointment of Howard Schmidt, a computer security veteran with loads of experience in government and industry, as the White House’s cyber coordinator, the numerous online threats facing the United States didn’t instantaneously evaporate. Schmidt’s entrance did put a trusted face on the Obama administration’s approach to protecting cyber infrastructure: Lawmakers have a clearer picture of the administration’s computer security plans, and industry, which is always quick to point out that companies own a vast majority of cyber infrastructure, seemed pleased with the choice.

Now the focus of debate on the government’s role in computer security might shift down Pennsylvania Avenue from the White House to the Capitol.

Indeed, momentum for more government involvement seemingly grows with every dire intelligence assessment, online financial fraud case, or newspaper article about Google and China. All that adds up to ammunition for a sustained push by lawmakers who want to advance comprehensive cybersecurity legislation.

For example, Dennis Blair, the national intelligence director, recently led his testimony to a Senate panel on the intelligence agencies’ annual threat assessment with a blunt warning of the cyber threat. His predecessor, Michael McConnell, also told the Senate Commerce, Science and Transportation Committee last month that the United States would lose a cyber war.

Meanwhile, a cyberattack simulation last month, broadcast by CNN, depicted a faux White House Situation Room in which Cabinet officials struggled through questions of what legal authorities the president had to respond to during a burgeoning cyber crisis.

The cyber simulation “made it enormously clear [that] if we are serious about responding to real cyber emergencies effectively, we need a real strong, top-level coordination,” Sen. John “Jay” Rockefeller (D-W.Va.), chairman of the Commerce committee, said during the hearing. “Too much is at stake for us to pretend that today’s outdated cybersecurity policies are up to task of protecting our nation and/or our economic infrastructure."

Rockefeller and Maine's Olympia Snowe, a senior Republican on the panel, continue to refine a sweeping cybersecurity bill they introduced last year. Both senators used the recent hearing to make the case for their recommendations. Snowe said the administration's cyber coordinator should be a Senate-confirmed position, as proposed in the Rockefeller/Snowe legislation, so the official would be obliged to testify before their committee.

Rockefeller and Snowe, Blair and McConnell, government and industry — all seem to agree that the public and private sectors must share the responsibility to protect the country's IT infrastructure. But how to regulate in a way that spurs innovation and bolsters security remains subject to intense debate.

The original language in the Rockefeller/Snowe bill, as introduced in April 2009, stoked controversy in industry partially because it would have given the president power to declare a cybersecurity emergency and shut down Internet traffic to and from government systems or networks and those considered critical infrastructure. In addition, in the interest of national security, the president could order the disconnection of such networks or systems. Provisions that would have mandated certifications for cybersecurity professionals also irked some in the private sector.

Since then, however, the Rockefeller/Snowe bill is said to have gone through four iterations as feedback from industry has been incorporated into the legislation. A markup date for the bill hasn’t been set.

James Lewis, director of the Center for Strategic and International Studies’ technology and public policy program, supports the bill. During the recent hearing, Lewis, who directed a commission that has framed much of the cybersecurity discussion during the past year, testified that it’s important for the president to have clear authority to act in a cyber crisis. He also said the development of new rules is critical, even if industry cries foul and companies say regulations stymie innovation.

It’s not clear what requirements an eventual version of the Rockefeller/Snowe bill would levy on industry. It’s also unclear how other computer security-related proposals that call for further regulation of the private sector will advance in Congress.

However, if the Commerce committee hearing was any indication, it is likely that the great cybersecurity debates of 2010 will focus on legislation, not White House officials.

And time might be short. “When it was steam engines or automobiles or telephones, we could take 20 or 30 or 40 years to come up with the rules we needed, but we don’t have that luxury now," Lewis said. "Prompt action is necessary."

About the Author

Ben Bain is a reporter for Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above