The cybersecurity ship is finally pulling into the slip. The same Congress which found a way to agree on a permanent FAA authorization bill after several years and 23 continuing resolutions is coalescing around major cybersecurity legislation.
During the last couple of sessions, Congress scattered its intentions among so many bills, nothing passed. Now, in the Senate, the heavy lifting appears to be occurring in the Commerce, Science and Transportation Committee and the Homeland Security and Governmental Affairs Committee. The bill isn’t ready, but at the urging of Majority Leader Harry Reid, a comprehensive bill is expected. One Senator active on cybersecurity, Tom Carper (D-Del.), told Federal News Radio not to expect it until April 1, and he mentioned that that’s April Fool’s Day.
In the House, it’s the Homeland Security Committee, and more particularly the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, chaired by Dan Lungren (R-Calif.). Last week the committee agreed on the PrECISE Act, or HR 3674. That stands for Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness.
In some fundamental ways, the bills agree that the Homeland Security Department becomes the focus of federal cybersecurity efforts in .gov protection – which it de facto is anyhow – and for coordination with private sector operators of critical infrastructure. But is it coordination or outright regulation?
There are differences. The Senate takes a slightly heavier-handed approach to direct regulation of private companies’ cyber practices. The House version establishes a National Information Sharing Organization, a trusted place for information sharing about cyber threats, funded for three years by the government and then by industry if there is uptake. But it does empower Homeland Security to gather data and establish standards for various sectors, but reserves the highest level of regulation for operators of networks, the failure of which would cause loss of life, endanger national security, or cause disruptions to the economy.
The House version would otherwise leave direct regulation to the discretion of the agencies, like the Energy Department and the electric grid, that already oversee different sectors. The Senate appears to be headed toward more direct regulation by DHS. Its version has similar criteria to the House for which pieces of critical infrastructure would be subject to federal regulation.
The Senate bill is expected to require the White House cybersecurity advisor to become a Senate-confirmed position. That’s not the case with the House bill, although some members openly question whether Howard Schmidt, as the non-confirmed, mid-level advisor, has much direct access to the president.
To me it seems likely that agencies, particularly chief information security officers, will eventually lose autonomy to a governmentwide structure operated out of DHS. Surely a department with a broad mandate over significant pieces of the private sector would also have hegemony with the government itself.
Cyber is developing at another level. The National Institute of Standards and Technology has moved the National Strategy for Trusted Identities in Cyberspace a notch forward. It announced grants for industry or academia to develop ideas for some ID system other than the standard username/password scheme. Next week NIST holds a public meeting to further discuss these pilot programs. The money is not big, but the projects could catalyze development of commercial ID ecosystems that catch on where public-key encryption simply has not.
Temin on Tech
