DHS: President has adequate authority to handle cyber emergencies

Senate legislative language allowing the White House to order companies to take specific security precautions to protect private computer networks is superfluous, the Homeland Security Department's cyber chief said during a hearing on Wednesday.

Philip R. Reitinger, deputy undersecretary of the National Protection and Programs Directorate at DHS, stopped short of taking an official position on the proposed measure during testimony before the Senate Homeland Security and Governmental Affairs Committee, stating the department was still reviewing the 2010 Protecting Cyberspace as a National Asset Act (S. 3480). But he questioned one provision authorizing the president to take emergency measures when officials identify a credible threat to the computer networks that support the nation's critical infrastructure such as banks, transportation systems, telecommunications and utilities.

"The bill recognizes that Americans expect the federal government to anticipate, prevent and respond to cyber threats, [and] the provisions relating to imminent cyber threats acknowledge that the government may need to take extraordinary measures to fulfill these responsibilities," Reitinger said. But he added, "Laws already address presidential emergency authorities and Congress and the administration should work together to identify any needed adjustments, as opposed to developing overlapping legislation."

Reitinger pointed to Section 706 of the 1934 Communications Act, which authorizes the president to take control of "facilities or stations for wire communication" during times of war. But Sen. Susan Collins, R-Maine, ranking member of the committee, said despite a 1996 amendment to incorporate telecommunications, the law does not address Internet issues effectively.

Collins and Sens. Joseph Lieberman, I-Conn., and Thomas Carper, D-Del., introduced the Protecting Cyberspace legislation last week. It is one of a number of pending bills that address cybersecurity by giving the White House and DHS additional authorities and updating the 2002 Federal Information Security Information Management Act to require agencies to monitor their computer networks more actively. Lieberman said during the hearing the measures likely will be blended into one bill for the Senate to consider later this year.

Another provision that could cause debate would require networks supporting critical infrastructure to meet security standards established and enforced by government. This would be a change from the current structure, in which most critical infrastructure industries self-regulate. Reitinger did not directly object to that language, but said regulatory agencies in sectors such as banking, finance, energy, transportation, health care and communications "should continue to review existing cybersecurity regulatory requirements and determine if new rulemaking is required." They also should continue to consult with DHS and the National Institute for Standards and Technology during this process, he added.

Alan Paller, director of research at SANS Institute, applauded the new regulatory framework and emergency measures the bill establishes, with one caveat.

"Some of the language will lead to long delays in implementing effective defenses," he warned during the hearing. "Long delays do not help the nation; they help the vendors that sell IT products and services to government and want government to accept their products as they are without being asked to make sure those products are secure."