Administration to Congress: Cyber order is not enough

US Capitol

A renewed debate about the right form for cybersecurity legislation is heating up, and many of last year's contentious issues remain unresolved.

President Barack Obama's executive order on cybersecurity, issued last month, has been described as a "down payment" on government regulation to secure U.S. critical infrastructure and networks. What happens next, though, could prove to be a battle between Congress, key federal agencies and the private sector.

At a March 7 Senate hearing, officials including Homeland Security Secretary Janet Napolitano and Patrick Gallagher, director of the National Institute of Standards and Technology, testified before lawmakers that much remains to be done in cybersecurity. They also indicated the road ahead may not be a smooth one. The committees on Homeland Security and Governmental Affairs, and Commerce, Science and Transportation, jointly hosted the hearing.

Familiar issues – such as debates over regulation versus incentivization, which sank proposed laws last year – now are resurfacing as Congress once again takes up cyber legislation. This time around, they are compounded by fiscal pressures, primarily the spending cuts under sequestration.

Napolitano said those cuts have clear impact at DHS, where officials now are delaying the release of a next-generation intrusion detection system for government networks, canceling cybersecurity training activities and reducing the number of vacancies filled on the agency's Computer Emergency Readiness Team.

Yet on Capitol Hill, divisions over legislation already are reappearing. House Republicans have revived the controversial Cyber Intelligence Sharing and Protection Act, but in the hearing, Napolitano said that legislation does not go far enough.

"Even in the information-sharing area, I think there were some deficiencies in" the House bill, she said. "It had no privacy protections built around it, which is very important, particularly in the civilian realm. And it resided almost all the cybersecurity information monitoring responsibilities within the [National Security Agency], which is part of the military."

The divisions between which departments handle which networks – the Defense Department oversees the .mil domain, while DHS handles .gov – are a point of contention, she stated.

"We're talking about a completely different environment here, the domestic environment with core critical infrastructure," Napolitano said. She also noted that effective legislation must put into statute the roles and responsibilities laid out in the EO, insert basic standards-setting for core critical infrastructure, and increase research and development. The law would also need to enable a move from paper-based processes to continuous real-time network diagnostics as the Federal Information Security Management Act requires, she said.

Gallagher indicated that, whether under provisions from the EO or possible legislation, there remains a fine line in the relationship between government and industry.

"The tricky issue here is that there is a public accountability for the performance of critical infrastructure. If it fails, it causes impact to the nation," he said. "But these types of standards and requirements also have business impact. They touch how businesses perform and their business practices, and they affect the markets. I think generally there is a reticence to have the government somehow have an undue impact on their business convention."

Still, Gallagher is hopeful that the broad inclusion of industry in both the development of the EO and the forthcoming cybersecurity framework and standards will encourage a better, more collaborative partnership.

"This will work best of all when good cybersecurity is good business. When that alignment occurs, that's where the magic happens and this works very powerfully," he said.

According to Napolitano, the road to the EO – and ideally to effective legislation – has been paved with a sense of inclusiveness led by the Obama administration. Despite her blunt assessments of the challenges ahead, her hope is that it can continue in order to pass laws that successfully protect shared security interests.

"One of the things that happened was a process led by the White House to engage industry in the construction if the EO itself, so it didn't spring like Athena from the head of Zeus," she said. "It was really a collaborative process to begin with."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group