wfedstaff | April 17, 2015 3:43 pm
Editor’s note: This story was updated at 1:30 p.m. May 3 to include a clarification by Homeland Security officials regarding the department’s preferred approach to securing critical infrastructure.
A week after the House of Representatives approved four cybersecurity bills, Defense and Homeland Security department officials are warning there’s trouble ahead if the full Congress doesn’t pass legislation updating the nation’s cybersecurity laws soon.
“Cyber week” in the House included passage of four bills: one dealing with updates to information assurance in federal agencies, another handling cybersecurity information sharing, and two others that dealt with federal cybersecurity research. The Senate, meanwhile, is working on an all-in-one approach to cybersecurity with two competing comprehensive bills.
While the debate in Congress ensues, federal agencies in charge of cybersecurity are keeping up the pressure on Congress to enact legislation as soon as possible. “I’m not one for creating fear, uncertainty, doubt and hyperbole, but we’re at a point now where something has to happen,” Mark Weatherford, the deputy undersecretary for cybersecurity at DHS, told a cybersecurity forum cohosted by the University of Rhode Island and Rep. Jim Langevin (D-R.I). “I’ve been in this business for my entire adult life, and I get worried when I see the kind of [threats] I’m seeing on a daily basis, and that I’ve seen building over the years.”
Insight by Carahsoft: Learn from IT experts as they outline the significant impacts cloud and 5G have on implementing zero trust architecture in this exclusive executive briefing.
In particular, Weatherford said he’s especially concerned about cyberattacks against the industrial control systems that underlie much of the nation’s electric grid and other critical infrastructure, many of which were built long before the word cybersecurity was part of anyone’s vocabulary.
“For many, many years, that stuff was under the radar, because no one knew you could do anything with it,” he said. “That has changed, and those are the underpinnings of society. It’s the critical infrastructure that makes our society function and work.”
Weatherford said DHS wants cybersecurity legislation to include at least three things:
DOD also wants Congress to get moving on cyber legislation.
Army Lt. Gen. Michael Flynn is currently the assistant director of national intelligence for partner engagement, and President Obama nominated him last month to be the next director of the Defense Intelligence Agency. He told the symposium DoD worries about its inability to share the threat information it already has with private industry.
“This idea of partnering is a big, big deal, and it’s one of the things we have to look at in terms of our legal framework,” he said. “Let’s say a big company is getting ransacked of all of its intellectual property. They may not have the capability or the insight to even see that happening, they just feel it because they’re losing money. They pick up the phone and call [the U.S. Cyber Command] and ask if we’re seeing this, and right now we can do nothing about it. So companies are paying more for insurance, they’re paying more for security, they’re paying more for information assurance, which means it drags down the economy and raises the cost of just about everything.”
Information sharing bill passes
One of the three House bills from last week, the Cyber Intelligence Sharing and Protection Act (CISPA) is intended to break down those information sharing barriers, in part, by granting legal liability protections to companies who share or receive cyber threat information. The bill has spurred an online outcry led by privacy groups who say those immunity provisions are far too broad.
The White House agreed. The Obama administration issued a veto threat over privacy concerns and because the bill doesn’t give DHS the authority to regulate critical infrastructure.
Langevin was one of just 42 Democrats who voted for the bill. He said the privacy concerns were solved through amendments. “The version that passed the House included strict limitations on what information can be given to the government, along with the requirement for an inspector general’s report reviewing what information was shared,” he said. “It also sunsets within five years, and we’ll make adjustments as necessary.”
But he agreed with the White House that the bill is too weak on the critical infrastructure score. He supported a separate bill, the PRECISE act, which would have given DHS the regulatory authority it wants.
“Unfortunately though, it wasn’t debated in last week’s so-called ‘cyber week,’ and I hope it that bill will come back up,” he said. “But to my great frustration, the need to completely take care of our critical infrastructure needs remains, I believe, unaddressed.”
Langevin, who has been working on cyber issues for several years, said overall the bills the House passed last week don’t go nearly far enough toward updating the nation’s cybersecurity posture. But they’re a lot better than nothing.
“This is the barest of beginnings compared with what needs to be done, but they’re an important reminder of how far the debate on cybersecurity has come,” he said. “Five years ago we were out talking in the wilderness about an issue that most people had never heard about. Now, the cyber debate is part of our daily policy conversation, and it’s universally identified by our country’s top national security officials as one of the top threats to our country’s security.”
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app