The journey towards the adoption of cybersecurity legislation has had a number of false starts during the Obama administration, and that journey is far from over.
If a joint hearing Thursday by the U.S. Senate Commerce and Homeland Security committees is any indication, opinion on the Hill remains divided in regards to what the next step should be to improve both security and cooperation between government and business.
The executive order signed by U.S. President Barack Obama last month expands the voluntary Enhanced Cybersecurity Services program and paves the way for security clearances for personnel at critical infrastructure companies are expedited. It also includes a provision directing the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity best practices and standards for critical infrastructure providers.
The order was issued despite criticism from some members of the Republican Party who felt the president was acting unilaterally. At the hearing, Sen. Tom Coburn, (R-OK), said the principal disagreement about legislation has centered on the issue of liability protection for businesses. There hasn’t been a single person who has testified at hearings he has attended on the issue with Sen. Tom Carper (D-DE) that didn’t recognize the need for such protections against “frivolous lawsuits,” he said.
If there is a place for new legislation, it is in the area of providing reasonable protection for information sharing between industry and government, testified David Kepler, chief information officer of the Dow Chemical Company. Kepler stated that his company does not support proscriptive legislation that would place a burden on business, and that because cyber-security threats are constantly in flux, response to them has to be fluid and risk-based.
“The key principles of collaboration are: one, advancing more specific and timely information sharing between government industry and my industry peers; two, reasonable protection for sharing threat or attack information between the government and other companies; and finally, it also has to lead to aggressive pursuit and prosecution of cybercriminals,” he said.
U.S. Department of Homeland Security Secretary Janet Napolitano noted in her testimony that the budget situation is impacting the battle for control of cyberspace.
“We also know that threats to cyber space and the needs to address them do not diminish because of budget cuts,” she said. “Even in the current fiscal climate we do not have the luxury of making significant reductions to our capabilities without having significant impacts.”
“In order to be able to best meet this growing threat, we need Congress to enact a suite of comprehensive cybersecurity legislation,” she said. “I appreciate the efforts made in the last congress to pass bipartisan legislation, but the inability to get this done has indeed required the president to take executive action.”