Administration to Congress: Cyber order is not enough

US Capitol

A renewed debate about the right form for cybersecurity legislation is heating up, and many of last year's contentious issues remain unresolved.

President Barack Obama's executive order on cybersecurity, issued last month, has been described as a "down payment" on government regulation to secure U.S. critical infrastructure and networks. What happens next, though, could prove to be a battle between Congress, key federal agencies and the private sector.

At a March 7 Senate hearing, officials including Homeland Security Secretary Janet Napolitano and Patrick Gallagher, director of the National Institute of Standards and Technology, testified before lawmakers that much remains to be done in cybersecurity. They also indicated the road ahead may not be a smooth one. The committees on Homeland Security and Governmental Affairs, and Commerce, Science and Transportation, jointly hosted the hearing.

Familiar issues – such as debates over regulation versus incentivization, which sank proposed laws last year – now are resurfacing as Congress once again takes up cyber legislation. This time around, they are compounded by fiscal pressures, primarily the spending cuts under sequestration.

Napolitano said those cuts have clear impact at DHS, where officials now are delaying the release of a next-generation intrusion detection system for government networks, canceling cybersecurity training activities and reducing the number of vacancies filled on the agency's Computer Emergency Readiness Team.

Yet on Capitol Hill, divisions over legislation already are reappearing. House Republicans have revived the controversial Cyber Intelligence Sharing and Protection Act, but in the hearing, Napolitano said that legislation does not go far enough.

"Even in the information-sharing area, I think there were some deficiencies in" the House bill, she said. "It had no privacy protections built around it, which is very important, particularly in the civilian realm. And it resided almost all the cybersecurity information monitoring responsibilities within the [National Security Agency], which is part of the military."

The divisions between which departments handle which networks – the Defense Department oversees the .mil domain, while DHS handles .gov – are a point of contention, she stated.

"We're talking about a completely different environment here, the domestic environment with core critical infrastructure," Napolitano said. She also noted that effective legislation must put into statute the roles and responsibilities laid out in the EO, insert basic standards-setting for core critical infrastructure, and increase research and development. The law would also need to enable a move from paper-based processes to continuous real-time network diagnostics as the Federal Information Security Management Act requires, she said.

Gallagher indicated that, whether under provisions from the EO or possible legislation, there remains a fine line in the relationship between government and industry.

"The tricky issue here is that there is a public accountability for the performance of critical infrastructure. If it fails, it causes impact to the nation," he said. "But these types of standards and requirements also have business impact. They touch how businesses perform and their business practices, and they affect the markets. I think generally there is a reticence to have the government somehow have an undue impact on their business convention."

Still, Gallagher is hopeful that the broad inclusion of industry in both the development of the EO and the forthcoming cybersecurity framework and standards will encourage a better, more collaborative partnership.

"This will work best of all when good cybersecurity is good business. When that alignment occurs, that's where the magic happens and this works very powerfully," he said.

According to Napolitano, the road to the EO – and ideally to effective legislation – has been paved with a sense of inclusiveness led by the Obama administration. Despite her blunt assessments of the challenges ahead, her hope is that it can continue in order to pass laws that successfully protect shared security interests.

"One of the things that happened was a process led by the White House to engage industry in the construction if the EO itself, so it didn't spring like Athena from the head of Zeus," she said. "It was really a collaborative process to begin with."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above