Congress could tackle key computer security questions in 2010, despite persistent disagreement over the extent that cybersecurity should be regulated.
For the better part of a year, it seemed that virtually every debate and discussion involving cybersecurity centered on the so-called cyber czar: Who would it be? How much power would the czar have? What would the official’s responsibilities entail? Why was it taking so long to name someone? Should he or she even be called a czar?
But even with the appointment of Howard Schmidt, a computer security veteran with loads of experience in government and industry, as the White House’s cyber coordinator, the numerous online threats facing the United States didn’t instantaneously evaporate. Schmidt’s entrance did put a trusted face on the Obama administration’s approach to protecting cyber infrastructure: Lawmakers have a clearer picture of the administration’s computer security plans, and industry, which is always quick to point out that companies own a vast majority of cyber infrastructure, seemed pleased with the choice.
Now the focus of debate on the government’s role in computer security might shift down Pennsylvania Avenue from the White House to the Capitol.
Indeed, momentum for more government involvement seemingly grows with every dire intelligence assessment, online financial fraud case, or newspaper article about Google and China. All that adds up to ammunition for a sustained push by lawmakers who want to advance comprehensive cybersecurity legislation.
For example, Dennis Blair, the national intelligence director, recently led his testimony to a Senate panel on the intelligence agencies’ annual threat assessment with a blunt warning of the cyber threat. His predecessor, Michael McConnell, also told the Senate Commerce, Science and Transportation Committee last month that the United States would lose a cyber war.
Meanwhile, a cyberattack simulation last month, broadcast by CNN, depicted a faux White House Situation Room in which Cabinet officials struggled through questions of what legal authorities the president had to respond to during a burgeoning cyber crisis.
The cyber simulation “made it enormously clear [that] if we are serious about responding to real cyber emergencies effectively, we need a real strong, top-level coordination,” Sen. John “Jay” Rockefeller (D-W.Va.), chairman of the Commerce committee, said during the hearing. “Too much is at stake for us to pretend that today’s outdated cybersecurity policies are up to task of protecting our nation and/or our economic infrastructure."
Rockefeller and Maine's Olympia Snowe, a senior Republican on the panel, continue to refine a sweeping cybersecurity bill they introduced last year. Both senators used the recent hearing to make the case for their recommendations. Snowe said the administration's cyber coordinator should be a Senate-confirmed position, as proposed in the Rockefeller/Snowe legislation, so the official would be obliged to testify before their committee.
Rockefeller and Snowe, Blair and McConnell, government and industry — all seem to agree that the public and private sectors must share the responsibility to protect the country's IT infrastructure. But how to regulate in a way that spurs innovation and bolsters security remains subject to intense debate.
The original language in the Rockefeller/Snowe bill, as introduced in April 2009, stoked controversy in industry partially because it would have given the president power to declare a cybersecurity emergency and shut down Internet traffic to and from government systems or networks and those considered critical infrastructure. In addition, in the interest of national security, the president could order the disconnection of such networks or systems. Provisions that would have mandated certifications for cybersecurity professionals also irked some in the private sector.
Since then, however, the Rockefeller/Snowe bill is said to have gone through four iterations as feedback from industry has been incorporated into the legislation. A markup date for the bill hasn’t been set.
James Lewis, director of the Center for Strategic and International Studies’ technology and public policy program, supports the bill. During the recent hearing, Lewis, who directed a commission that has framed much of the cybersecurity discussion during the past year, testified that it’s important for the president to have clear authority to act in a cyber crisis. He also said the development of new rules is critical, even if industry cries foul and companies say regulations stymie innovation.
It’s not clear what requirements an eventual version of the Rockefeller/Snowe bill would levy on industry. It’s also unclear how other computer security-related proposals that call for further regulation of the private sector will advance in Congress.
However, if the Commerce committee hearing was any indication, it is likely that the great cybersecurity debates of 2010 will focus on legislation, not White House officials.
And time might be short. “When it was steam engines or automobiles or telephones, we could take 20 or 30 or 40 years to come up with the rules we needed, but we don’t have that luxury now," Lewis said. "Prompt action is necessary."