Congressional regulation of federal cybersecurity offers only a mixed-bag of solutions
February 25, 2020 10:32 am
8 min read
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Cybersecurity is a big challenge for the federal government because of the way it encompasses technology, foreign policy, national security and crime. Carrie Cordero argues that Congressional oversight of federal cybersecurity is too much of a patchwork and ought to be consolidated. Cordero is an attorney with long experience in the national security end of the government, and is now a senior fellow at the Center for a New American Security. She joined Federal Drive with Tom Temin to discuss.
Tom Temin: Ms. Cordero, good to have you on.
Carrie Cordero: Thanks for having me on.
Tom Temin: So your thesis is that, I guess, a lot of functions ingovernment, like Homeland Security, have complained of scattered and patchwork congressional oversight. Tell us what you’re seeing and what you think is going on with cyber security oversight.
Carrie Cordero: I, along with my co-author David Thaw, who’s a professor at the University of Pittsburgh, recently published a briefing paper where we urge a rebooting of congressional cybersecurity oversight. In other words, we think that it’s time for Congress to take a little bit of a different view, a higher level holistic view of cybersecurity, to try to think forward in terms of how can it create legislation, considering passed legislation, that takes on a number of cybersecurity challenges? And what we try to do is outline the current framework for cybersecurity law and then provide a couple of what we think are fairly modest recommendations.
Tom Temin: And give us just the short form of the current cybersecurity law, because it’s a big and complicated hairball, if you will.
Carrie Cordero: So currently, what we try to do is describe it in a very general way in terms of cybersecurity law that is directed at government entities. So that would be the types of laws that regulate certain parts of the government, whether those pertain in the military area or whether those pertain to standards for cybersecurity across civilian agencies. And then a separate body of law that developed which is cybersecurity law directed at nongovernmental agencies. And that is a relatively well-established area of law, particularly because it’s broken down into sectors. So there are different privacy and cybersecurity laws that apply in a general way to different areas of the economy or subject matter areas. Over the course of the last decade, I would say, much of the legislative initiative has been focused on improving information sharing and there was a law passed in 2015 that was specifically focused on information sharing. But that effort was such a heavy lift that there has not been a lot of progress in other areas of cybersecurity beyond information sharing.
Tom Temin: And I guess you could say that the cybersecurity patchwork also involves corporate America as much as it does how federal agencies should respond, correct?
Carrie Cordero: Well, of course, yeah, so that is one of the challenges is that — and we try to lay this out, Professor Thaw and I in the briefing paper, which is that this is not, cybersecurity legislation cannot be just considered a government issue. In other words, there’s some areas of government activity where we can look to a particular department and say, “This is this department’s responsibility and they’re gonna handle it.” But because some of the infrastructure — the information infrastructure resides in the private sector, cybersecurity efforts have required both the work of government and also the private sector. And so what we propose is really two very modest recommendations. One is that in the near term this year, Congress focus its efforts on considering and hopefully passing cybersecurity election security related legislation. There have been a number of bills that are on that front. And then second what we propose is that once we get beyond this year and the issues of election security that Congress consider creating a select committee, which would focus on cybersecurity issues for the next couple years and try to conduct oversight from a centralized short term select committee.
Tom Temin: We’re speaking with Carrie Cordero, senior fellow with the Center for a New American Security. And a couple of questions that rise from here: First of all, getting back to the government itself for the executive branch for just a moment, the Cybersecurity and Critical Infrastructure Security Agency, formerly the NPPD, has a big part of the infrastructure in the United States, and they’ve identified 17 or 18 sectors, each of which have a corresponding federal agency, often DHS itself. Do you think this kind of legislation could clarify the work that agency is doing? They just came out as a matter of fact with their election security strategic plan.
Carrie Cordero: So that’s one area where there has been some legislative activity in terms of the formalization of that entity and its work and it takes advantage of a track record that the Department of Homeland Security has been establishing to step up its efforts in terms of protecting the civilian infrastructure in particular, and then basically serving as a conduit to be able to work with the private sector. So that is one area where we’ve seen an advance in the last year or so, and hopefully that work will continue and grow.
Tom Temin: Because when Congress, if they do as you are suggesting, some kind of cybersecurity legislation for elections, that could be a tough haul simply because elections are the jurisdiction of 8,000 different entities, none of which are the federal government.
Carrie Cordero: That’s absolutely right. And that’s one of the challenges in trying to work through the different bills that consider election security is that the election infrastructure itself resides at the state and local level.
Tom Temin: And on the idea of a select committee, I guess the question is, do you feel realistically that the state that Congress is in now it can come together to do anything of importance like this in a way that both parties can sign on to?
Carrie Cordero: Well, you know, that’s an interesting observation. There currently is an entity that is comprised of members of Congress, and it’s called a cybersecurity [cyberspace] solarium commission. And that group of members and some outside experts have been doing some work over the course of the last year. I’m looking forward to seeing the report that is issued from that work, which is currently expected to be issued sometime this spring. And what Professor Thaw and I in our briefing, what we’re hoping is that potentially the work that’s done through that solarium commission report, which we don’t know what’s in it yet and what it’s going to recommend, could be continued through this potential select committee. In other words, we’d hate to see whatever work has gone in to that commission’s work end when the commission ends, and we think that a select committee would be more of a formalized way to continue that engagement.
Tom Temin: I guess. On the other hand, Congress has shown some unanimity in certain issues. Cybersecurity actually is one of them, paid parental leave, data, that kind of thing. So maybe there’s a possibility of that?
Carrie Cordero: Hopefully. You know, one issue that we try to focus on at Center for New American Security is an area where there can be bipartisan collaboration and bipartisan work on issues, particularly as they relate to national security. And sometimes we can find that there can be all sorts of areas in our political dialogue where there is not agreement. But national security sometimes can be in an area where collaboration on a bipartisan basis still is possible from time to time.
Tom Temin: And when you look at the current condition of a mishmash of overlapping authorities of different congressional committees and the way this is all spread out, disjointed somewhat, do you feel that curing it in the manner you suggest would simply end some of the inconvenience and bureaucracy? Or could it actually improve national security?
Carrie Cordero: Well, we think that it would improve national security. Of course, the goal in creating more of a comprehensive legal framework is that it would provide better cyber security. Now one of the challenges has been — my professional colleague Paul Rosenzweig at the R Street Institute is doing a lot of work on this issue — has been the difficulty in measuring whether cybersecurity activities, whether they’re by government or by the private sector, are being successful. And as an academic and policy community we really don’t have good data right now to rely on to determine whether cybersecurity activities that are being conducted by organizations or entities or companies are actually having the intended result. And so there’s this gap in data that is one of the challenges in determining whether or not cybersecurity activities are being successful.
Tom Temin: Carrie Cordero is senior fellow with the Center for a New American Security. Thanks so much for joining me.
Carrie Cordero: Thank you.
Tom Temin: We’ll post this interview along with a link to her article at www.federalnewsnetwork.com/FederalDrive. Hear the Federal Drive on demand. Subscribe at Apple Podcasts or Podcastone.