Influencing Policy, If Not the LawLawmakers' Ideas Get Adopted Even If Their Bills Don't
"The devil is always in the details," says Jacob Olcott when discussing Congress' failure to enact comprehensive cybersecurity legislation over the past half decade.
Olcott, who spent years on Capitol Hill as a top staffer on cybersecurity matters, says all the wheels are in motion in order to achieve substantial legislation. "Members and staff are absolutely committed to putting forward a bill," Olcott says in an interview with Information Security Media Group's Eric Chabrow (transcript below).
But there are many questions to be answered, Olcott explains. "What's the role of the Department of Homeland Security in this? What's the role of first-party regulators? Where do existing regulations fall down and what should the government be asking the private sector to do?" Olcott asks.
However, with all the delays in passing legislation, Olcott, who has worked for Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., and Rep. Jim Langevin, D-R.I., founder of the House Cybersecurity Caucus, has seen progress in efforts to create IT security policy. One such example is Rockefeller's efforts to get the Securities and Exchange Commission to issue guidance that explains how companies should report cyber incidents that could have an adverse affect on their finances or operations (See SEC issues Cyber-Incident Guidance).
And legislation will come as well. "The debate has been very robust and there are a lot of members who are participating in it now," Olcott says. "I don't think it's a matter of if, but when."
In the interview, which took place before the Senate Majority Leader Harry Reid announced that the chamber will debate cybersecurity legislation early next year (see Senate to Take Up Infosec Bill in Early 2012), Olcott also explains:
- Why Congress takes so long to enact comprehensive cybersecurity legislation.
- How different cultures in the House and Senate affect how lawmakers approach cybersecurity legislation.
- Why, despite challenges, Congress will enact comprehensive cybersecurity legislation.
Olcott in October left Congress to join Good Harbor Consulting, the firm founded by former top White House IT security adviser Richard Clarke, as a principal specializing in cybersecurity. Most recently, Olcott served as the lead negotiator on comprehensive cybersecurity legislation for the Senate Commerce Committee. Before joining the Senate panel, Olcott served as staff director and counsel for the House Homeland Security Subcommittee on Emerging Threats.
He holds a law degree from the University of Virginia and received his bachelor of arts from the University of Texas at Austin.
Hold-Up in IT Security Legislation
ERIC CHABROW: Why is it taking Congress so long to enact significant IT security legislation? It's been years since anything of any major substance has been enacted.
JACOB OLCOTT: It's a combination of a couple things. First of all, these are very difficult and challenging issues, and they're issues which continue to change on a monthly basis, weekly basis and hourly basis. It's been interesting trying to get folks up-to-speed and it's been a very long education process for a lot of members and certainly staffers on the Hill. Really, what we're dealing with are two major issues. You've got, on the one hand, the technical issues, challenges in cyberspace and cybersecurity, and then the policy challenges. So in order to be able to do one or the other, you have to sort of know both. It's been a long learning process for a lot of different people.
Jurisdictionally, Congress isn't necessarily set up well to address an issue like cybersecurity, which has so many different cross-cutting issues associated with it. Whether you're talking about cybersecurity on federal civilian agency systems or military systems, those are really dealt with by two different committees right now. If you're talking about cyber attacks and cyber warfare - that's a separate committee. Critical infrastructure is dealt with by a number of different committees. Financial systems are generally the purview of financial committees, which are separate from everything else. The point is, there are a lot of different actors involved here and it's been a challenge to educate and bring folks up-to-speed, but we're getting there.
Comprehensive IT Security Bill
CHABROW: Listening to the majority leader, Senator Jay Rockefeller, who used to work for Senator Joseph Lieberman of Connecticut who chairs another committee with IT oversight, there was a deal coming up with a comprehensive IT security bill. Whatever happened to that?
OLCOTT: It's still being worked on. When I was working for Senator Rockefeller, we spent the better part of a year and a half sitting down with other staffers on the Homeland Security Committee, Senator Lieberman's staff and Senator Collins' staff, and folks continue to work on those things. Just because there isn't a product at this point doesn't mean that negotiations and discussions don't continue to this very day. They do. The next challenge really is for Senator Reid and Senator McConnell to find time on the floor to bring a bill forward. As you know, the country is facing a lot of different challenges right now; not that cyber isn't one of the most critical, but there are a lot of issues on the table that are sort of competing for time at this point.
Approach to Legislation
CHABROW: Is there a philosophical approach to this? The House leadership in the Republican-controlled chamber there looks at more of a piecemeal approach and was taking one bill at a time, rather than a comprehensive approach. Is that a problem in the Senate, in the sense of getting legislation to the floor?
OLCOTT: It's not. It's just a different way of dealing with the issue. Having worked in the House for four and a half years on the Homeland Security Committee, I can tell you it's more of a function of the way that House rules are set up versus Senate rules, and your listeners shouldn't necessarily read anything more into that. I think that, from my understanding of the way that the House is proceeding, they obviously have the Cyber Task Force, which is composed of a number of different members from a number of different committees. Those members, I believe, will be going back to their committees and working on their own cybersecurity bills. At some point, those bills will be brought to the floor by Speaker Boehner - whether a large package or as individual bills - and eventually they will meet up with the larger cybersecurity bill that Senator Reid is trying to put together over in the Senate.
CHABROW: There may be other areas of contention, but the one area that seems most evident deals with the government regulating industry. Is that a big hang-up?
OLCOTT: You know, there doesn't really seem to be a lot of disagreement about the role of the government in regulating certain pieces of critical infrastructure, which if disrupted or destroyed, could cause catastrophic damage to national and economic security. There is broad consensus between Republicans and Democrats that that's an important issue that should be looked at. In fact, the House Cyber Task Force in its recommendations to Speak Boehner suggested that that was an issue that was certainly worth pursuing in legislation. I think that there's a lot of agreement on the concept. The devil is always in the details, though, and that's really been the debate over the last months and years. What's the role of the Department of Homeland Security in this? What's the role of first-party regulators? Where do existing regulations fall down and what should the government be asking the private sector to do? Those are the key questions that continue to be debated today.
Too Complex an Issue?
CHABROW: Is it too complex of an issue to be resolved this year?
OLCOTT: Certainly, leaders in both chambers have expressed more than an interest in getting legislation forward this year. Again, I think that you're dealing with a complicated schedule for floor time, particularly in the Senate, where you've got a number of different issues related to the super committee that have to be considered. I know that folks are working very hard on this and are certainly trying to meet deadlines.
CHABROW: Is there a certain frustration among staffers that they've been working hard - not just this past year, but for the past four or five years - on cybersecurity and not seeing anything getting done?
OLCOTT: There are a couple of different ways of answering that. On the one hand, obviously, when you work on legislation, the goal is to pass legislation, and so certainly both members and staff are hopeful that a comprehensive cybersecurity bill is passed. On the other hand, to look back over the course of the last five or six years, you could say that a number of important things have happened in cybersecurity that originated in the Congress, that may not have necessarily been bills, but have had significant impact on cybersecurity.
For instance, Senator Rockefeller played a critical role in the SEC's effort to issue cybersecurity guidance a few weeks ago to publicly-traded companies. Many people think that that's going to fundamentally change the way the private sector views cyber risk. That was a really important development that was outside of the scope of legislation, but still is going to have a very significant impact.
On the House side, I think Congressman Langevin, another former boss of mine, has been a real leader on electric grid issues, and I think he was instrumental in changing the security culture in the electric sector, particularly at the North American Electric Liability Corporation. Those things are not necessarily bills that you can point to that have passed, but actions by members that have had a significant impact.
CHABROW: What do you expect to happen this year?
OLCOTT: I have gotten out of the prognosticating business, so it's very hard to predict. What I can absolutely say is that members and staff are absolutely committed to putting forward a bill; and if it happens this year - wonderful. And if not, it will absolutely happen in the months or years to come - there's no question about that. The debate has been very robust and there are a lot of members who are participating in it now. I don't think it's a matter of if, but when.