Editor’s note: This story was updated at 1:30 p.m. May 3 to include a clarification by Homeland Security officials regarding the department’s preferred approach to securing critical infrastructure.
A week after the House of Representatives approved four cybersecurity bills, Defense and Homeland Security department officials are warning there’s trouble ahead if the full Congress doesn’t pass legislation updating the nation’s cybersecurity laws soon.
“Cyber week” in the House included passage of four bills: one dealing with updates to information assurance in federal agencies, another handling cybersecurity information sharing, and two others that dealt with federal cybersecurity research. The Senate, meanwhile, is working on an all-in-one approach to cybersecurity with two competing comprehensive bills.
While the debate in Congress ensues, federal agencies in charge of cybersecurity are keeping up the pressure on Congress to enact legislation as soon as possible. “I’m not one for creating fear, uncertainty, doubt and hyperbole, but we’re at a point now where something has to happen,” Mark Weatherford, the deputy undersecretary for cybersecurity at DHS, told a cybersecurity forum cohosted by the University of Rhode Island and Rep. Jim Langevin (D-R.I). “I’ve been in this business for my entire adult life, and I get worried when I see the kind of [threats] I’m seeing on a daily basis, and that I’ve seen building over the years.”
In particular, Weatherford said he’s especially concerned about cyberattacks against the industrial control systems that underlie much of the nation’s electric grid and other critical infrastructure, many of which were built long before the word cybersecurity was part of anyone’s vocabulary.
“For many, many years, that stuff was under the radar, because no one knew you could do anything with it,” he said. “That has changed, and those are the underpinnings of society. It’s the critical infrastructure that makes our society function and work.”
Weatherford said DHS wants cybersecurity legislation to include at least three things:
Provisions that would let the government and private companies share threat information. “I relate this back to the time when I worked for the North American Electric Reliability Corporation,” he said. “Often times, we would call a company to tell them they had a security issue, -which may or may not have been tipped to us from the government, and the first person we always talked to was an attorney. That attorney had to make sure that the information we talked about wasn’t going to get them in some sort of legal trouble. That’s one of the information sharing barriers right there. There are perceived legal liability impediments to sharing information.”
Codification of the patchwork of responsibilities and authorities DHS has when it comes to securing federal agencies and helping the private sector secure their systems. “DHS executes its portion of the federal cybersecurity mission under an array of existing executive and statutory authorities. Unfortunately, these authorities have simply failed to keep up with the responsibilities DHS is charged with leading,” he said. “Our nation cannot improve its ability to keep up with cyber threats unless certain laws that deal with cybersecurity are updated.”
Authorities for DHS to adopt industry-led minimum cybersecurity standards for the operators of the nation’s most critical infrastructure. That’s perhaps the most contentious issue among lawmakers, and it was left out of last week’s cyber bills in the House. A second senior DHS cyber official later clarified that the process would be “collaborative” with industry, and that DHS would only add its own standards if it determined that the private sector’s own baseline protections were inadequate. The department’s only enforcement mechanism would be to publicly identify those firms who were failing to meet the published standards.
DOD also wants Congress to get moving on cyber legislation.
Army Lt. Gen. Michael Flynn is currently the assistant director of national intelligence for partner engagement, and President Obama nominated him last month to be the next director of the Defense Intelligence Agency. He told the symposium DoD worries about its inability to share the threat information it already has with private industry.
“This idea of partnering is a big, big deal, and it’s one of the things we have to look at in terms of our legal framework,” he said. “Let’s say a big company is getting ransacked of all of its intellectual property. They may not have the capability or the insight to even see that happening, they just feel it because they’re losing money. They pick up the phone and call [the U.S. Cyber Command] and ask if we’re seeing this, and right now we can do nothing about it. So companies are paying more for insurance, they’re paying more for security, they’re paying more for information assurance, which means it drags down the economy and raises the cost of just about everything.”
One of the three House bills from last week, the Cyber Intelligence Sharing and Protection Act (CISPA) is intended to break down those information sharing barriers, in part, by granting legal liability protections to companies who share or receive cyber threat information. The bill has spurred an online outcry led by privacy groups who say those immunity provisions are far too broad.
The White House agreed. The Obama administration issued a veto threat over privacy concerns and because the bill doesn’t give DHS the authority to regulate critical infrastructure.
Langevin was one of just 42 Democrats who voted for the bill. He said the privacy concerns were solved through amendments. “The version that passed the House included strict limitations on what information can be given to the government, along with the requirement for an inspector general’s report reviewing what information was shared,” he said. “It also sunsets within five years, and we’ll make adjustments as necessary.”
But he agreed with the White House that the bill is too weak on the critical infrastructure score. He supported a separate bill, the PRECISE act, which would have given DHS the regulatory authority it wants.
“Unfortunately though, it wasn’t debated in last week’s so-called ‘cyber week,’ and I hope it that bill will come back up,” he said. “But to my great frustration, the need to completely take care of our critical infrastructure needs remains, I believe, unaddressed.”
Langevin, who has been working on cyber issues for several years, said overall the bills the House passed last week don’t go nearly far enough toward updating the nation’s cybersecurity posture. But they’re a lot better than nothing.
“This is the barest of beginnings compared with what needs to be done, but they’re an important reminder of how far the debate on cybersecurity has come,” he said. “Five years ago we were out talking in the wilderness about an issue that most people had never heard about. Now, the cyber debate is part of our daily policy conversation, and it’s universally identified by our country’s top national security officials as one of the top threats to our country’s security.”