House struggles over security bill

Last week, House Republicans rejected language in a bill that would have shifted oversight responsibility for cybersecurity from the Homeland Security Department to a newly created position in the Office of Management and Budget.

The proposed provision was seen as coming from Rep. Tom Davis (R-Va.), chairman of the House Reform Committee. A Davis spokesman, however, said "there never was any language in the bill that transferred functions from DHS to OMB."

The provision would have given the OMB director new authority, among other things, "for developing and overseeing the implementation of critical infrastructure information protection policies."

The Associated Press reported last week that a draft copy of Davis' bill called for the creation a new Office of Critical Infrastructure Information Protection in OMB.

"The proposal took nothing away from DHS, by statute or by implication," Davis spokesman David Marin said. "DHS, under our language, would still be responsible for the operational aspects of information protection." The bill would have expanded the OMB director's responsibility for information security policy governmentwide, he said.

"We tried to get this in the 9-11 package," which means it is legislation proposed in response to recommendations from the 9-11 Commission, Marin said. "It's not in there." But committee members are not ready to give up. "We'll take another run at this separately," he said.

Some Hill watchers said the bill, as originally drafted, would have undercut a related bipartisan bill sponsored by Rep. Mac Thornberry (R-Texas) and Rep. Zoe Lofgren (D-Calif.), which has broad industry support. The Thornberry-Lofgren bill proposes keeping responsibility for cybersecurity at DHS but elevating the position of the person in charge of it from director to assistant secretary.

Both bills' sponsors were in a hurry to include them in 9-11 legislation in time for markup last week. Hill observers said Davis' proposal went through five or six revisions.

Dan Burton, vice president for government affairs at Entrust Technologies Inc., an information security company, said Davis wants to give more responsibility for information technology and cybersecurity to OMB, "especially for sharing information about critical infrastructure."

Industry officials who support the Thornberry-Lofgren bill said they hope lawmakers approve it before the election recess. "If something doesn't happen, it would be a real missed opportunity," said Dexter Ingram, director of information security policy at the Business Software Alliance, which represents the software industry.

Ingram said the revised Davis bill, which would create better information sharing within the federal government, would not move cybersecurity operations to OMB. "We're coming up with solutions that keep [cybersecurity] within DHS on an operational level, but also give OMB responsibility for information sharing and coordination."

Some security analysts said it would be a mistake to move cybersecurity operations out of DHS' National Cyber Security Division. Department officials have not been as aggressive on cybersecurity matters as some had hoped they would be, said John Pescatore, vice president for Internet security research at Gartner Inc.

But strengthening cybersecurity is an operational problem, Pescatore said. "Putting somebody in [DHS] in charge of doing something is much more valuable than having a figurehead at the White House in charge of publicity about the problem," he said. "We'll just end up with a lot more speaking engagements and photo ops and not a lot of operational action."

Other security analysts think that moving cybersecurity oversight back to the executive office is right thing to do. The dissolution by Bush administration officials of the President's Critical Infrastructure Board was "the single greatest error made in U.S. cybersecurity policy," said Alan Paller, director of research at the SANS Institute, a nonprofit security research and education organization.

When responsibility for cybersecurity was transferred out of the White House and given to a single federal department, "companies saw it as a target for making money and nearly every other federal agency stopped paying attention," Paller said. "Good people tried to make it work at DHS, but they never had a chance because they were isolated in a single department." Returning the responsibility to the Executive Office of the President is a critical step in advancing a national cybersecurity program, Paller said.

Davis' bill caught many industry officials and some House Democratic staff members by surprise. "This is a power play to get jurisdiction over cybersecurity issues in the federal government," a staff member said.

If responsibility for cybersecurity moves to OMB, then the House Government Reform Committee, of which Davis is chairman, would have oversight jurisdiction. If it remains in DHS, then the House Select Committee on Homeland Security would continue to oversee cybersecurity.

"Almost every person who sits on top of the dais is a senior committee chairman, and they're there to defend their own turf," the staff member said. "For the past almost two years now, all we've seen in the homeland security committee is turf battles."