White House cyber solutions too slow, Senator says

By Jared Serbu
Reporter
Federal News Radio

A senator who will play a role in determining the future of the Obama administration’s cybersecurity proposal said Tuesday the White House’s approach to the nation’s network defenses could prove too slow to deal with the threats the country currently faces.

The pace of the traditional administrative process is less than ideal when dealing with a threat that’s evolving every day, said Sen. Sheldon Whitehouse (D-R.I.), chairman of the Judiciary committee’s Subcommittee on Crime and Terrorism.

“I’m worried about the extent of the threat that we’re facing right now, and the time it will take to work through the administration’s proposal,” he said at his subcommittee hearing examining the administration’s cybersecurity ideas Tuesday. “It seems to me that to the extent we can reach agreement and try to draw those bright lines forward and into legislation so that people can begin to rely on them and gain their protections more rapidly, that would be to their advantage.”

The administration’s proposal relies on agency rulemaking processes to determine such issues as the definition of “critical infrastructure” and the framework for plans that the companies who operate those essential components must submit for defending their networks.

Such a process would let members of the affected industries and the public comment before the rules become final.

Whitehouse said his experience with rulemaking, in the cyber area in particular, had shown him that agencies tend to act extremely slowly.

“I spent three years just trying to get the Drug Enforcement Administration to knock off its ban on pharmaceuticals being prescribed electronically,” he said. “I had the support in that of both the Department of Health and Human Services and the Attorney General. If that’s the pace of something the government agrees with, I’m concerned about the prospect of delays.”

Administration officials said they were not opposed to discussing the idea of moving components of the bill into statute as opposed to the rulemaking process.

But Greg Schaffer, the assistant secretary for the Department of Homeland Security’s cybersecurity office, said regardless of the legal mechanism used, the government needs to create an environment in which the private operators of critical infrastructure know what is expected of them.

“There is no real established standard of care,” he said. “There is so much variability in the way that networks are put together and the way systems are protected, it becomes very hard to say whether someone’s lived up to what they should be doing. One of the things that this proposal does is that it allows industry to participate in developing frameworks, commit to frameworks, and then develop plans to meet those frameworks. Then, it becomes easier to say, ‘Well, you said you needed to do this in order to secure your network. Did you do that?'”

Under the White House proposal, DHS would take the lead in helping to secure, on a voluntary basis, most of cyberspace’s commercial neighborhoods. Government-approved plans only would be required for what is eventually determined to be “covered” critical infrastructure, such as power, banking or water systems. Operators of that infrastructure would have to submit plans for securing it to DHS for approval.

“Non-covered” critical infrastructure operators would develop their own independent plans. The government would provide help if requested. The administration hopes those voluntary plans will help establish future “rules of the road” for other private sector industries, critical or not.

Also under the administration proposal, companies that share cybersecurity threat information with the government would receive new legal protections. They would be granted immunity in civil suits when they share cybersecurity information in good faith with federal agencies. Schaffer said currently, the fear of lawsuits stops, or at least slows down, such information sharing.

“On any given day, we have entities that are under attack or have found something in their own infrastructure that they think is important for the government to know and for a larger community to defend against,” he said. “That often leads to a week-long process of working with counsel to determine whether that information can be shared. In this space, milliseconds count. Days and weeks are not a good measure of how long it should take to get things done.”

Sen. Richard Blumenthal (D-Conn.), a former state attorney general, said there’s a case to be made that industry should face more accountability to safeguard data, rather than less. He said a cybersecurity overhaul should give individual citizens explicit rights to bring private legal actions in data breach cases.

“I’m struck that some of the breaches recently are the equivalent of leaving the vault open without a guard at the door,” he said. “Failure to encrypt, failure to take basic safeguards. A bank can be a victim of a robbery and claim to be a victim, but if it doesn’t take certain basic steps to safeguard its depositors’ money, it should be held accountable. If you’re not going to make that enforceable by citizens, you’re foregoing a basic means of making these institutions accountable.”

Ari Schwartz, senior Internet policy advisor for the National Institute of Standards and Technology, said the administration is taking an approach based on transparency. The Obama proposal would require companies to make full and timely notifications to customers in the event of a cyber attack that compromises individuals’ data.

“We think this helps to provide a series of incentives,” he said. “One of them is the effects of the disclosure on cybersecurity performance, there’s the related reputation risks, access to government procurement, and fourth is litigation risk. We think we can help to build greater incentives in the future, including, perhaps, as this marketplace and transparency builds, an insurance market that can help address some of those issues.”

The Judiciary Committee is one of eight separate committees with jurisdiction over some piece of cyber security legislation in circulation this year. Senate Majority Harry Reid’s office has the task of integrating whatever legislation emerges from each of them into one bill, which senators hope to pass this year.

The House Homeland Security Committee will hold another hearing on the cybersecurity proposal on Friday.

RELATED STORIES: White House cyber proposal boosts DHS role

House draft bill expands DHS cyber responsibilities

Senate committee finds few hurdles with cyber proposal

(Copyright 2011 by FederalNewsRadio.com. All Rights Reserved.)

This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.