Administration to Congress: Cyber order is not enough

US Capitol

A renewed debate about the right form for cybersecurity legislation is heating up, and many of last year's contentious issues remain unresolved.

President Barack Obama's executive order on cybersecurity, issued last month, has been described as a "down payment" on government regulation to secure U.S. critical infrastructure and networks. What happens next, though, could prove to be a battle between Congress, key federal agencies and the private sector.

At a March 7 Senate hearing, officials including Homeland Security Secretary Janet Napolitano and Patrick Gallagher, director of the National Institute of Standards and Technology, testified before lawmakers that much remains to be done in cybersecurity. They also indicated the road ahead may not be a smooth one. The committees on Homeland Security and Governmental Affairs, and Commerce, Science and Transportation, jointly hosted the hearing.

Familiar issues – such as debates over regulation versus incentivization, which sank proposed laws last year – now are resurfacing as Congress once again takes up cyber legislation. This time around, they are compounded by fiscal pressures, primarily the spending cuts under sequestration.

Napolitano said those cuts have clear impact at DHS, where officials now are delaying the release of a next-generation intrusion detection system for government networks, canceling cybersecurity training activities and reducing the number of vacancies filled on the agency's Computer Emergency Readiness Team.

Yet on Capitol Hill, divisions over legislation already are reappearing. House Republicans have revived the controversial Cyber Intelligence Sharing and Protection Act, but in the hearing, Napolitano said that legislation does not go far enough.

"Even in the information-sharing area, I think there were some deficiencies in" the House bill, she said. "It had no privacy protections built around it, which is very important, particularly in the civilian realm. And it resided almost all the cybersecurity information monitoring responsibilities within the [National Security Agency], which is part of the military."

The divisions between which departments handle which networks – the Defense Department oversees the .mil domain, while DHS handles .gov – are a point of contention, she stated.

"We're talking about a completely different environment here, the domestic environment with core critical infrastructure," Napolitano said. She also noted that effective legislation must put into statute the roles and responsibilities laid out in the EO, insert basic standards-setting for core critical infrastructure, and increase research and development. The law would also need to enable a move from paper-based processes to continuous real-time network diagnostics as the Federal Information Security Management Act requires, she said.

Gallagher indicated that, whether under provisions from the EO or possible legislation, there remains a fine line in the relationship between government and industry.

"The tricky issue here is that there is a public accountability for the performance of critical infrastructure. If it fails, it causes impact to the nation," he said. "But these types of standards and requirements also have business impact. They touch how businesses perform and their business practices, and they affect the markets. I think generally there is a reticence to have the government somehow have an undue impact on their business convention."

Still, Gallagher is hopeful that the broad inclusion of industry in both the development of the EO and the forthcoming cybersecurity framework and standards will encourage a better, more collaborative partnership.

"This will work best of all when good cybersecurity is good business. When that alignment occurs, that's where the magic happens and this works very powerfully," he said.

According to Napolitano, the road to the EO – and ideally to effective legislation – has been paved with a sense of inclusiveness led by the Obama administration. Despite her blunt assessments of the challenges ahead, her hope is that it can continue in order to pass laws that successfully protect shared security interests.

"One of the things that happened was a process led by the White House to engage industry in the construction if the EO itself, so it didn't spring like Athena from the head of Zeus," she said. "It was really a collaborative process to begin with."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group