Government and industry still are waiting for a clear policy on cybersecurity, but it is not likely to emerge soon.
Cybersecurity has been a hot topic for the past couple of years. It has assumed a high profile in the Obama administration, with a cybersecurity coordinator installed in the White House. A number of bills have been introduced in the House and Senate that would lay out clearer lines of authority for information security. After years of carping about the shortcomings of the Federal Information Security Management Act, it seemed likely that Congress would pass some kind of FISMA reform.
But here we are in the closing weeks of the 111th Congress and nothing has happened. But that might not be such a bad thing — it might be better to do nothing than to pass the wrong legislation.
The issue is not quite dead. A comprehensive cybersecurity bill, S. 3480, introduced by Independent Sen. Joseph Lieberman of Connecticut and Republican Sen. Susan Collins of Maine has passed out of committee but has not been acted on by the full Senate. The sitting Congress still has time to consider the bill during the short session, which Collins urged it to do Nov. 17 during a cybersecurity hearing before the Homeland Security and Governmental Affairs Committee. “I personally think it is an ideal issue for the lame duck Congress to take up,” she said.
Lieberman expressed little hope that the bill would be passed by this Congress, however. “It’s unfortunate that the clock will run out on us before we have a chance to complete negotiations with other committees and with the administration, who I regret to say did not engage as early in the process of developing this legislation as was necessary,” he said.
Several companion bills already are pending on the House side, and in a last minute Hail Mary effort, Rep. Bennie G. Thompson (D-Miss.), chairman of the House Homeland Security Committee, introduced a new bill last week, the Homeland Security Cyber and Physical Infrastructure Protection Act of 2010, H.R. 6423. The bill would give the Homeland Security Department the authority to establish and enforce risk-based information security standards for government IT systems as well as for private-sector systems design as critical infrastructure.
This bill is not a companion to the Lieberman-Collins bill in the Senate, a spokeswoman for Thompson said. “It’s quite different,” and is not intended to facilitate last minute passage of cybersecurity legislation in both houses, she said. Thomson had been considering introducing a bill this year, and this bill puts him on record with what he is proposing while he still chairs the committee.
It is unlikely that either bill will make it through both houses during a lame-duck session that still has to do something about a federal budget and is wrestling with issues like “don’t ask/don’t tell.”
It is impossible to say at this point what the appetite and ability of the next Congress will be to pass cybersecurity legislation. A few things clearly are needed in this area — most importantly, some clear lines of authority. DHS has been given the nominal lead for civilian government IT security, but little or no authority. By default, the Office of Management and Budget has been doing the heavy lifting through FISMA.
But securing the private-sector portion of the critical infrastructure is more problematic. Standards and help from government are needed, but mandates and regulatory enforcement could do more harm than good.
Outspoken IT consultant Tony Summerlin recently called provisions in the Lieberman-Collins bill for government oversight of private systems, “just short of insane,” and said government first needs to put its own house in order.
“Before they start regulating industry, perhaps they ought to do something about the 30,000 Chinese crawling over their networks every day,” Summerlin said.