As lawmakers prepare to vote on dueling versions of cybersecurity legislation, the White House is making the case for the draft bill it proposed almost a year ago.
Any bill that emerges from Congress should include provisions that ensure the nation’s most critical privately-owned critical infrastructure is as secure as it can be, the Obama administration’s cyber policy chief said Tuesday.
While a mishmash of competing cyber bills currently are vying for attention on Capitol Hill, the most contentious divide is over whether or not to give the federal government new powers to set cybersecurity standards for the nation’s most critical privately-held infrastructure. Lawmakers who are wary of adding a new regulatory burden to private businesses said that lowering the barriers to information sharing, both between federal agencies and private industry and within the private sector itself, could solve the problem.
“If information sharing was enough, that’s all we would have asked for,” Howard Schmidt, the White House’s cybersecurity coordinator told a Georgetown University conference. “But there’s other components that are important.”
Tougher penalties for certain categories of cyber criminals: “People have to be held more accountable when they interfere with critical infrastructure. There’s got to be a higher level when it comes to organized crime,” he said.
Updates to the Federal Information Security Management Act (FISMA): “We have to move from an environment where by being FISMA compliant, you can still be insecure. We have to flip that around. We want an environment where, by becoming secure, you are indeed FISMA compliant,” Schmidt said.
Increasing the nation’s ability to train and retain cyber talent.
Those proposals are somewhat uncontroversial and are included in the two competing cybersecurity proposals under consideration in the Senate. The rub is over whether the Department of Homeland Security or any other agency should be allowed to set the definitions of what constitutes a core critical infrastructure system and then define minimum standards to keep them secure from cyber attacks.
“Rather than arming DHS with expansive new regulatory authority over every sector of our economy, we need a partnership approach between the government and private entities,” said Sen. Lisa Murkowski (R-Alaska), who co-sponsored the SECURE-IT Act together with Sen. John McCain (R-Ariz.) and several other GOP senators. “By focusing on those areas like information sharing where bipartisan agreement is achievable, we can tackle the cyber issue in a meaningful and constructive way.”
Administration’s bill is most contentious
Schmidt acknowledged the critical infrastructure provision of the bills advanced by the White House was the most contentious, but he said all operators of core critical infrastructure should have to prove to the government, and to their customers, that they’re doing all they can on the cybersecurity front.
“And one would think that would not be that big of an ask,” he said. “When all of us go out to buy a car, we don’t deal with people who may or may not decide to add brakes or may or may not decide to put bald tires on the car. These are things that we expect for safety and security. We have to do the same thing when it comes to the core critical infrastructure.”
Allies to the White House approach to regulating critical infrastructure approach include Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), who have proposed a broad cyber overhaul. Smaller, more piecemeal bills are expected to be voted on in the House in the next few weeks.
Schmidt said protecting DoD and other federal systems is vital, but it’s not the federal government’s only responsibility on the cyber front. He said state and local governments would be devastated by the aftereffects of a successful attack on critical infrastructure, as would private businesses. He said it’s the federal government’s responsibility to prevent those attacks in the first place.
“We have natural things that take place that affect businesses all the time, windstorms, snowstorms, hurricanes, you name it. They’re out of business for reasons we can’t control,” he said. “But can we afford to have companies go out of business for any period of time in today’s economy just because they didn’t have access to the core critical infrastructure? Yes, we care about the military, yes, we care about the cybersecurity of the federal government, but this is not just about the federal government. It’s the local governments and the small and medium sized businesses that we have to protect. People talk about the impact of this legislation’s impact on businesses, but let’s look beyond that top layer. Let’s look at all the things that are going to be impacted if these things aren’t protected.”