A senator who has been active in the area of cybersecurity said Monday that he is optimistic that Congress will be able to complete negotiations with the White House and pass a major cyber bill by the end of this year.
A holdup in that process, Sen. Sheldon Whitehouse (D-R.I) has said, was an internal, interagency review process intended to identify areas of law in need of modification in the cyber arena. Whitehouse, who chaired a classified six-month review of cyber policy for the Intelligence Committee last year, has been critical of the administration’s pace in proposing a plan to Congress, saying that lawmakers could not coalesce around cyber legislation without knowing precisely where the administration stood on the issues.
But in testimony before the Senate Judiciary Committee last week, Cameron Kerry, the Commerce Department’s general counsel, told Whitehouse that the administration was “a matter of some weeks away from being able to share some proposals with Congress.”
“This is timely, as the threat is serious and action to protect our country is overdue,” Whitehouse said at a cybersecurity symposium at the University of Rhode Island Monday.” In the Senate, the Commerce Committee reported out its bill on March 24, 2010. The Homeland Security Committee reported out its bill on June 24, 2010. The Intelligence Committee Cybersecurity Task Force completed its classified report on July 1, 2010. We are ready in the Senate. We hope to do a major bill this year.
Gen. Keith Alexander, director of the National Security Agency and commander of the military’s US Cyber Command, said these are not simple legal issues. He said he believes the government can protect against cyber attacks without violating civil liberties, but figuring out how the rules of war apply to the cyber domain is no easy task.
“We have to have the ability to defend our nation in cyberspace, and clearly Cyber Command is going to be expected to be part of that mission,” said Alexander, who also spoke at the Warwick, R.I. symposium. “We have to have the ability to move seamlessly when our nation is attacked and defend it. How do we do that? That’s got to be established. The laws don’t exist in this area. We’ve gone faster than laws and policies have kept up with. How do you apply the rules of engagement of land warfare to cyber? What does that mean?”
Even though the military now has its own centralized cyber command, its main function is to defend the Defense Department’s own networks. Pentagon leaders have said they have no desire to militarize the Internet, and that protecting the dot-gov and dot-com domains should rest with the Department of Homeland Security.
But DoD also depends on a great degree on civilian infrastructure, such as the power grid. Alexander said he has reason to be concerned about that.
“If you were to ask me to rank order where industries are in terms of their cybersecurity capability, I think power is at or close to the bottom of the list,” he said. “Not because they’re bad, but because that’s not a focus area for them right now. Not only that, but they don’t have the technical expertise nor the government help they need. And we ought to give it to them.”
Dr. Douglas Maughan, director of DHS’s Cyber Security Research and Development Center said his organization is trying to do just that. A program called TCIP-G, which began in Oct. 2010 in partnership with the University of Illinois at Urbana-Champaign and other academic institutions, aims to help utilities and grid operators create a smart, trustworthy power grid of the future, with cybersecurity features baked-in.
“The key thing here is that as part of this project, there’s an advisory board of thirty-plus private sector companies,” he said. “The university and the government aren’t going to be the ones to make this a reality. We have to have the private sector, those vendors who are going to build the technologies, those asset owners and operators who are going to deploy the technologies at the table to start with, so we ensure that what gets built actually will get deployed.”
Maughan said that hasn’t always been the case with federal R&D, and that too often, technologies are developed with federal research dollars only to be relegated to bookshelves.
Maughan said DHS is trying to take a similar approach to critical infrastructure in the oil and gas industry. They came to us and said, ‘we don’t do cybersecurity, we do oil and gas. Help us out,'” he said. “Essentially what it amounts to is an agreement between five of the super major oil and gas companies that allows them to do pre-competitive, collaborative R&D with the support of the government. They put their projects on the table, they put their money on the table, and we help them manage it. And in the end, the goal is to raise the bar for the entire oil and gas sector, and not just the five oil and gas companies that are at the table today.”
But Rep. Jim Langevin (D-R.I), one of many lawmakers who have introduced cyber legislation, said laws need to be changed to put someone in charge of the government’s overall cyber security efforts.
“There’s no one single person or office with the proper authorities leading our efforts to keep our networks safe. My proposal establishes one national office with the proper budgetary and policy authorities to oversee cybersecurity.”
Associate Deputy Attorney General James Baker testified last week that the administration agrees that moving forward on cyber security is urgent. He said the administration has made “substantial progress” on preparing a policy proposal for Congress that does the job, while also protecting civil liberties.
This story is part of Federal News Radio’s daily Cybersecurity Update brought to you by Tripwire. For more cybersecurity news, click here.