House lawmakers are renewing their call for a Senate-confirmed White House official to be in charge of civilian agency cybersecurity policy.
The Obama administration’s legislative cybersecurity proposal did not include such a position despite strong support from both chambers of Congress. Instead, the White House’s bill gives the Homeland Security Department the operational and policy responsibilities while the Office of Management and Budget retains the budget authority.
“There are several provisions in the administration’s proposal I would like to see strengthened,” said Rep. Elijah Cummings (D-Md.), ranking member of the committee. “First, I hope we will consider the creation of a Senate-confirmable official with authority to set administrationwide cybersecurity policy. It is important that the official responsible implementing the Federal Information Security Management Act (FISMA) have the authority to task all civilian depts. And agencies with implementation of the federal security standards.”
Rep. Jim Langevin (D-R.I.) echoed Cummings on this issue.
Langevin, who introduced bills over the last two years to create this position and update FISMA, said current cyber coordinator Howard Schmidt doesn’t have the right authorities. Langevin praised Schmidt for the job he is doing.
“We need a strong director’s position in the Executive Office of the President that is charged with protecting our federal cyber networks,” he said. “I want to see that position strengthened and I want to see it be a Senate-confirmed position with strong authorities.”
Langevin said the White House official would have a top line view of all cyber efforts across the government. Currently, neither Schmidt nor DHS have that ability.
“Just last year the White House last year moved further away from this model by moving OMB’s oversight for federal security to DHS,” he said. “While DHS clearly has the operational lead for protecting the .gov network, what authority do they have to oversee agency budgets and actually compel these important technical challenges be addressed? OMB could do it, but does DHS have that sufficient authority? I really question that.”
OMB gave DHS more authority July 2010 over all civilian agency networks, FISMA implementation and other operational elements.
Greg Schaffer, the acting deputy undersecretary for the National Protection and Programs directorate at DHS, said OMB retains the budget authority to be the enforcement entity.
“The legislative proposal would consolidate the oversight responsibility with the operational responsibility that we have and move things in the direction that we would be given the authority to direct departments and agencies to take action to improve their security and deploy appropriate protections,” he said.
But Langevin, Cummings and others said this set up isn’t enough.
In fact, one of the major Senate cyber bills, sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), would create a Senate-confirmed cyberspace policy director in the White House.
The White House proposal is not a bill yet, but should one come to the House floor without the requirement for a Senate-confirmed cyberspace director, Langevin wouldn’t hesitate to introduce an amendment.
“I’m hoping that ultimately the legislation proposed in the last Congress, which was passed as part of the National Defense authorization bill, including stronger authorities for the cyber coordinator, which would be a directors position, Senate-confirmed and stronger authorities, I want to see that legislation passed,” he said. “If there is another vehicle for adding a Senate-confirmed position with strengthened authorities, I would certainly consider that.”
The Senate-confirmed White House official was one of two areas committee members focused on that was not in the administration’s proposal.
Schaffer said he’s aware of instances where this has happened.
“This is one of the most complicated and difficult challenges we have,” he said. “The range of issues goes to the fact that there are foreign components in many U.S. manufactured devices. There’s a task force that DHS and DoD co-chair to look at these issues with goals to identify short term mitigation strategies and also to make sure we have capability to maintain U.S. manufacturing capabilities over the long term.”
Chaffetz said the concern is the agencies and the public don’t know foreign developers are planting viruses and backdoors into software and hardware, and the government already has felt the effect of these attacks.
“It’s not easily solved,” he said. “If I could write it out in a few paragraphs and introduce it in a piece of legislation then great, but it’s not going to be that simple. It’s one of the more difficult things to solve and protect ourselves from.”
He added supply chain risks are growing and the government must find a way to address them.
Langevin said he’s seeing more discussion of supply chain risk management in the Armed Services and Intelligence committees, both of which he is a member of.
“I’d like to see stronger involvement there and stronger oversight,” he said. “We have a lot of work to do to make sure our supply chain is more secure than what it is now.”