Some experts advise House and Senate leaders to coordinate their cybersecurity efforts.
When it comes to cybersecurity and its legislative oversight, members of Congress are all over the map.
In recent weeks, a flurry of bills have been introduced in the House and the Senate, tackling topics such as the security of the power grid, the management of the government’s information technology investments and the White House’s approach for dealing with cyber threats.
The measures are welcome news for cybersecurity experts who have long pushed Congress to focus more on the cross-cutting nature of information technology security.
However, the bills are coming from lawmakers from diverse committees, prompting questions about who on Capitol Hill should have oversight of computer security and how much authority lawmakers should have to oversee the White House’s efforts.
Gregory Garcia, who was assistant secretary for cybersecurity and communications at the Homeland Security Department during the Bush administration, said leaders in Congress should come up with a strategy to handle cybersecurity in a coordinated and comprehensive way that identifies gaps that legislation can fill.
Garcia, who now runs a consulting firm, Garcia Strategies, suggested that congressional leaders could model its approach on the Obama administration’s 60-day review of cyber policy. Then, rather than introduce multiple bills, they could develop omnibus security legislation, he said.
So far this session, lawmakers have introduced legislation attempting to accomplish similar goals in different ways.
For example, Sen. Jay Rockefeller (D-W.Va.), chairman of the Commerce, Science and Transportation Committee, introduced a bill April 1 that seeks to use the Commerce Department’s authorities to improve cybersecurity, in part through increased use of standards from the National Institute for Science and Technology.
Meanwhile, a few weeks later, on April 28, Sen. Thomas Carper (D-Del.), chairman of a subcommittee of the Homeland Security and Governmental Affairs Committee, introduced a bill that also called for greater use of standards for federal IT systems.
However, although both senators call for more continuous monitoring of the government’s information systems, Rockefeller would have the Commerce Department work with the Office of Management and Budget to put a new monitoring system in place. On the other hand, Carper would make it the responsibility of the director of a new National Office for Cyberspace to be part of the Executive Office of the President.
Rockefeller also proposes to create a new White House office, but it would be called the Office of National Cybersecurity Advisor.
The administration is expected to announce whether it will create such an office or adviser when it releases the results of its cybersecurity review in the coming days. (See story, Page 13)
James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, has long urged the creation of an office at the White House to coordinate cyber policy. He said he didn’t think the two proposed versions of the office represented a disagreement over how the new entity should work with the National Security Council.
“I think what they’re trying to do is send a signal to the White House that [the administration needs] to get their act together and they need to do the right thing when it comes to setting up someone in the White House,” he said. “If the 60-day review comes out and you don’t have the outcome all of us thought was right, I think what you’ll see is then the bills move forward.”
Not all lawmakers are keen on a new office in the White House. During a hearing April 28, Sen. Susan Collins (R-Maine) urged caution when considering a new office out of fear that it would diminish congressional oversight.
“I think we have to proceed carefully here to make sure that we don’t create a whole new round of turf battles and inadequate congressional oversight and unclear lines of authority,” Collins said.
In another example, Rep. Bennie Thompson (D-Miss.) and Sen. Joseph Lieberman (I-Conn.), chairmen of the House and Senate homeland security committees, introduced bills April 30 that would give the Federal Energy Regulatory Commission more authority to deal with cyber threats to the nation’s privately owned electricity grids. Thompson and Lierberman coordinated their effort, but a day earlier, Rep. Henry Waxman (D-Calif.) chairman of the Energy and Commerce Committee, co-sponsored a similar bill that was introduced by Rep. John Barrows (D-Ga.).
“A lot of the real battles now are going to be fought on Capitol Hill amongst the committees themselves,” Garcia said.
NEXT STORY: Survey: CISOs dish on FISMA