Homeland Security Makes Power-Grab for Sweeping Cybersecurity Authority
A battle is currently brewing in the U.S. Senate over dueling pieces of cybersecurity legislation aimed at protecting against cyberespionage and other forms of cybercriminality, including hacking.
American firms and government officials are concerned about better preventing and punishing activities intended to enable unauthorized access to American citizens' and companies' private data. Recent reports have highlighted incidents such as the hacking of the Chamber of Commerce and attempts to access information relevant to U.S. firms' intellectual property, news that hints at the threat to economic security represented by inadequate cybersecurity measures.
But while agreement broadly exists as to the threats, deep disagreement exists as to the legislative solution, with the Obama administration urging legislation containing controversial provisions.
Backed by the White House and Department of Homeland Security (DHS) Chief Janet Napolitano, Sen. Joseph Lieberman (ID-Conn.) and Sen. Susan Collins (R-Maine) have proposed a bill that would create a new regulatory regime empowering DHS to mandate cybersecurity standards for private firms.
Competing legislation introduced by Sen. John McCain (R-Ariz.) and backed by other Senate Republicans would by contrast encourage information-sharing to combat threats between the private sector and government, rather than adding to the existing regulatory burden facing business. Companion legislation has been introduced in the House by Rep. Mary Bono-Mack and Rep. Marsha Blackburn.
McCain's approach fits with that preferred by industry groups, including the hacked Chamber itself. Earlier this month, Chamber spokesperson Bobby Maldonado told the Wall Street Journal that the organization supports "the overarching principles behind the non regulatory approach to cybersecurity policy."
USTelecom, a big name in the technology sector, meanwhile is worried that any regulatory regime that DHS might seek to impose could constrain the adoption of innovative tools to combat ever-developing threats-- a result that could run counter to the stated objective of cybersecurity legislation.
But a further concern may be government's capacity to set appropriate regulations in view of its own apparent failings on the cybersecurity front.
Earlier this month, the Government Accountability Office released a little-noticed report titled "IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data." CIO Magazine summarized it like this:
For the past six years straight the IRS failed to install critical software fixes, let unauthorized people access accounting programs and didn’t make sure contractors had received proper security training.
The story appears to lend weight to industry's viewpoint that cybersecurity legislation would be better focused on information-sharing, and defending government systems, as does a further report from CIO about the Department of Defense's networks being "completely compromised":
The Defense Department’s (DoD) computer networks have been totally compromised by foreign spies, according to federal cybersecurity experts.
Those experts claim that the billions spent by the government on cybersecurity have provided only a limited increase in protection; attackers can penetrate DoD networks; and the defense supply chain and physical systems are at high risk of attack.
This leaves CIO's Constantine von Hoffman asking, "So, the DoD can’t protect its networks but we're supposed to think the Department of Homeland Security (DHS) will be able to protect those in the private sector" as the Lieberman-Collins bill envisages?
That the focus of cybersecurity legislation should be on information-sharing, not regulating, also is a conclusion reinforced by comments made by Gen. Keith Alexander, who told Politico earlier last week that "it's very important" that cybersecurity legislation move forward, while also emphasizing that information-sharing between the private sector and government is critical to combating cyber threats.
As for the dueling bills themselves, Sen. Lieberman hopes his version will be brought to a vote by Senate Majority Leader Harry Reid (D-Nev.) after the April recess. McCain continues to push his bill and press for amendments to Lieberman-Collins to deal with concerns regarding the prospect of over regulation at the hands of DHS.