The White House still holds out hope for comprehensive cybersecurity legislation from Congress — just not a lot of hope.
Instead, the administration now has a goal of passing smaller bills that address challenges everyone can agree about.
After three years of trying to get a comprehensive cyber bill through Congress and failing, Michael Daniel, the White House cybersecurity coordinator, said they have to try something different.
“I do think from the administration’s standpoint, one thing that has evolved in our thinking is that we do think it will be easier for us to get smaller pieces of legislation rather than one giant comprehensive bill,” said Daniel Thursday at an event sponsored by the Center for National Policy and the Christian Science Monitor in Washington. “So a lot of our efforts are involved in getting whatever we can passed on whatever vehicle we can manage to get it attached to as long as the policy and legislation itself are acceptable.”
There are two potential vehicles that Daniel is referring to: the Defense Authorization bill or the omnibus spending bill, should Congress pass one instead of passing each of the agency’s appropriations bills separately.
Daniel didn’t specify which smaller bills he’d like to see passed, but several already made it through one of the houses of Congress.
One such bill is the update to the Federal Information Security Management Act or FISMA. That bill has received bipartisan support on both sides of the aisle and from both houses of Congress. The House passed its version of FISMA update in April 2013, while the Senate Homeland Security and Governmental Affairs Committee approved its version in September.
Another possibility is a bill to help promote cyber information sharing. The concept is gaining ground in the Senate since the House has supported such legislation the last few years. The House passed Rep. Mike Rogers’ (R-Mich.) bill in April 2013, the Cyber Intelligence Sharing and Protection Act (CISPA). Meanwhile, the Senate’s version, authored by Sen. Dianne Feinstein (D-Calif.), passed the Select Committee on Intelligence in July.
There also are several cyber workforce bills that have broad support, such as the one by Rep. Yvette Clarke (D-N.Y.), which would require the Homeland Security Department to develop classifications for cyber expertise, which also could be shared across government.
Sen. Tom Carper (D-Del.), chairman of the Homeland Security and Governmental Affairs Committee, said he agrees with the administration that Congress must address cybersecurity this year.
“The committee has passed three bills that with bipartisan support that would go a long way to address several key issues that the U.S. faces in cyber space today. While our work in this area is far from finished, the bills are an important step in our effort to modernize our nation’s cybersecurity programs and help the public and private sectors work together to tackle cyber threats more effectively in the future,” Carper said in a statement. “I will continue to work with Dr. [Tom] Coburn (R-Okla.), [the committee’s ranking member] and my colleagues in the Senate on cybersecurity legislation to better secure our nation from evolving cyber threats.”
Daniel said he knows chances are slim to get Congress’s attention around cybersecurity in the short term.
But Frank Cilluffo, the director of the Homeland Security Policy Institute at the George Washington University in Washington, said the White House does have a few things going for it to get lawmakers’ attention — all the recent commercial cyber breaches that have happened over the last year.
“The Target breach was bad for Target in many, many ways — billion- dollar bad. But because there was punishment in terms of the marketplace, punishment in terms of people losing jobs and punishment in terms of the board being threatened with a recall, it sent shockwaves throughout numbers of other boards, and it’s bringing attention to this and we are seeing actions happen in a way that it wasn’t before,” Cilluffo said. “In this aura of cyber insecurity that surrounds us right now, we are seeing a lot of the needed actions that have been put off for a long time moving forward. We are seeing the building up of awareness that we called for. We are seeing the change in the education. Now clearly it’s not fast enough and it’s not good enough. But we are in a better place than we were say two or three years ago, and part of it, I hope we can change the mentality from thinking we need to defend against everything to instead become resilient.”
The most recent hack that came to light at JP Morgan Chase also is serving as a further wake up call for the government. In fact, that data breach drew the attention of the White House.
Daniel said his office informed President Barack Obama and his senior staff as part of their daily briefings on a wide range of security threats to the nation. He said it’s no different than any other threat, problem or incident involving critical infrastructure of the United States.
Daniel said he realizes getting legislation through may be tough this year, but they continue to try.
“We’ve been heavily involved with the relevant committees of jurisdiction in both the House and the Senate to work on the legislation and make improvements to it, and get it in a place to pass both houses and the President could sign,” he said. “We remain committed to doing that, but obviously getting anything passed on Capitol Hill right now is quite a challenge, so I think we try to remain realistic, but something we still remain heavily engaged with.”
Daniel said in the meantime, the administration will continue to press forward under existing authorities. He said legislation still is necessary and eventually Congress will get there — whether it’s this session or next or the one after that.
Cyber framework coming to agencies
Among the cyber initiatives the White House is leading are the three cross- agency priority goals — continuous diagnostics and mitigation (CDM) program, two-factor authentication using employee smart cards under Homeland Security Presidential Directive-12 and the Trusted Internet Connections (TIC) initiative.
Daniel also offered some details about a new twist for an old priority.
“The recent guidance that came out from the Office of Management and Budget on FISMA implementation is tying it ever closer to the [critical infrastructure cyber] framework. I think agency CIOs are getting tired of me coming and talking to them about how they have to use the framework inside their own agencies, but that is clearly a direction we are moving in,” he said. “We’re bringing those principles in to how we manage the federal government’s own cybersecurity, and we are developing, in fact, an overlay for the federal government that is related to the framework.”
The framework is helping agencies do a better job of protecting their computers and networks from a more holistic point of view. Daniel said that means agencies need to do more than just protect systems and data, but really understand what it means to their business if they lose data or a system goes off line.
Daniel said his office has been working hard to build agencies response and recovery capabilities.
While processes and tools are important, Daniel said if agencies don’t have a skilled and trained workforce, then little else matters.
New workforce initiatives
Daniel said the administration has been taking steps over the last five years to expand the skills and overall concept of the cyber workforce.
“We need a much bigger workforce to deploy against the problem. It needs to have an incredibly wide array of skills, ranging from a lot more technically focused folks to help companies and government agencies out with their immediate technical problems associated with cybersecurity, but also people that understand how cybersecurity interacts with their industry, how it interacts with industrial control systems, how it interacts with our financial sector, from a policy standpoint, from a legal standpoint and from an international standpoint,” he said.
Daniel added the administration has launched or plans to launch several new tools to build the cyber workforce in all sectors of the economy.
“We’re really trying to drive a connection with the administration’s jobs driven training initiative. In fact earlier this month, we rolled out a whole slew of grants for community colleges and other universities, a lot of which will go to cybersecurity related programs to support efforts in expanding that,” he said. “The National Initiative for Cyber Education (NICE) is focused on three different efforts. One of which is to develop a heat map of where the cybersecurity related jobs are. To really expand the number of cyber centers of academic excellence that are accredited by DHS and the National Security Agency and to expand the scholarship for service program that funds specific cybersecurity related scholarships.”
Daniel said agencies and industry need to recognize that cyber skills don’t necessarily mean technical skills, but those people who are diplomats, financial officers or acquisition experts must know how cyber fits into their discipline.
Daniel said that’s part of the reason why the administration is trying to create a large pool of cyber experts to choose from as the demand for workers with this expertise will continue to grow.