Senators argue cybersecurity leadership

The question of whether comprehensive cybersecurity legislation is needed to define roles and responsibilities for protecting the nation’s critical infrastructure gets a resounding "yes" from all quarters of government -- from Democrats, Republicans and independents, from the president and from Congress.

The agreement stops there.

Despite the introduction of scores of bills in both houses of Congress in the last two sessions, nothing significant has been passed. Sen. John McCain (R-Ariz.) has called for creating a temporary select committee to break the logjam.

“The Senate has yet to coalesce around one comprehensive proposal that adequately addresses the governmentwide threats we face,” McCain said in a July 13 statement. “A select committee would be capable of drafting comprehensive cybersecurity legislation quickly without needing to work through numerous and in some cases competing committees of jurisdiction.”

Related coverage:

Can government and industry solve the security/privacy equation?

White House cyber plan would expand role of DHS, private sector

Homeland Security and Governmental Affairs Committee Chairman Sen. Joe Lieberman (I-Conn.) and ranking member Susan Collins (R-Maine), who have proposed their own legislation, quickly objected to the idea.

“It would be a mistake and a waste of time to restart the process when so much work has already been done,” they wrote in a July 13 letter to Senate Majority Leader Harry Reid (D-Nev.) and Minority Leader Mitch McConnell (R-Ky.)

McCain’s proposal comes as both houses are considering a legislative proposal from President Barack Obama that would clarify the government’s role in protecting the nation’s critical infrastructure and that favors public/private cooperation over regulation.

The plan would give the Homeland Security Department oversight authority for the Federal Information Security Management Act, the primary framework for protecting civilian government IT systems, and establish an incentive program with both carrots and sticks to encourage owners and operators of critical infrastructure to establish cybersecurity programs.

Administration officials have called the proposal a work in progress rather than a finished product, and described its introduction as the beginning of an extensive discussion among the administration, Congress and the private sector. The process of reconciling the president’s proposal with bills already before the House and Senate to produce legislation is likely to be complicated.

“Practically every committee in Congress can claim jurisdiction over cybersecurity,” Rep. Darrell Issa (R-Calif.), chairman of the House Oversight and Reform Committee, said during a recent hearing. He proposed that his committee take the lead in the House for developing cybersecurity legislation.

McCain proposed a Select Committee on Cyber Security and Electronic Intelligence Leaks in a July 13 letter to the Senate majority and minority leaders. Its job would be to develop legislation to safeguard critical systems from insider threats and to protect the critical infrastructure, including the energy grid, air traffic control, utilities, financial networks and defense systems.

In urging the new committee, McCain cited competing cybersecurity proposals from the White House, at least seven committees and several executive branch departments.

“With so many agencies and the White House moving forward with cybersecurity proposals, we must provide congressional leadership on this pressing issue of national security,” he wrote. “I truly believe the only way to move comprehensive cybersecurity legislation forward swiftly is to have committee chairmen and ranking members step away from preserving their own committees’ jurisdiction. . . .”

Lieberman and Collins said there have been no turf battles in moving their legislation, the Cybersecurity and Internet Freedom Act of 2011, through their committee.

“For more than a year we have worked across committee lines,” they wrote in  their letter. “Partisanship and turf protection were strikingly absent from these talks.”

They said the resulting bill would establish clear lines of authority for securing the .gov and .com domains. Creation of a select committee would derail the existing process and undo years of progress.

“If Senator McCain or any other colleague wishes to amend the cybersecurity legislation that comes to the floor or even introduce a substitute to it, of course they should be free to do so,” Lieberman and Collins wrote, saying it would be a more efficient and less time-consuming way than to restart the process.