Senate Panels to Tackle Cybersecurity BillsDebate Slated for FISMA Reform, Cyberthreat Sharing Measures
A handful of cybersecurity bills could come up for votes next week in Senate committees. But whether the entire Senate gets to vote on the measures remains an open question. No major cybersecurity bill has passed the Senate since 2002.
"I suspect not much will change," says Robert Carey, who stepped down in March as the Defense Department's principal deputy chief information officer and co-chair of the CIO Council's information security committee. "I went to visit [lawmakers] a few months ago and they were just as partisan as ever. The nation is being negatively affected by the lack of action by the legislature, tremendously."
The Senate Homeland Security and Governmental Affairs Committee has scheduled for a June 25 markup session - where lawmakers can amend and vote on legislation - three cybersecurity-related bills. Among those measures is the Federal Information Security Modernization Act, a bill that would update the 12-year-old Federal Information Security Management Act, the law that governs federal government IT security.
The other two measures the committee is scheduled to consider are the National Cybersecurity and Communications Integration Center Act, aimed at strengthening the center, a Department of Homeland Security operation that houses the U.S. Computer Emergency Readiness Team; and the Federal Information Technology Acquisition Reform Act, or HR 1232, which passed the House in February. It would streamline IT acquisitions and require the president to appoint the chief information officer of federal departments and major agencies.
The Senate Select Committee on Intelligence scheduled a markup session on June 24 for the Cybersecurity Information Sharing Act, which its sponsors contend would incentivize the sharing of cybersecurity threat information between business and the government and among private sector entities (see Senate to Mull Cybersecurity Sharing Bill). A similar bill known as CISPA, the Cyber Intelligence and Protection Act, overwhelmingly passed the House of Representatives last year (see House Handily Passes CISPA), but the Obama administration has threatened to veto of that measure because it believes the liability protections given businesses are too broad and doesn't do enough to protect citizens' privacy (see White House Threatens CISPA Veto, Again). The White House declined to comment on the Senate version of the information sharing bill.
Senate Homeland Committee Chairman Tom Carper, D-Del., at a hearing in March identified differences on defining liability protections as an obstacle for Congress to agree on comprehensive cybersecurity legislation (see Why Congress Can't Pass Cyber Law). "If we can solve this one, I think we'll move a long way to where we need to go in this arena," he said.
Can 2014 Be the Year?
A lack of consensus exists among federal government IT security watchers on whether the 12-year drought on cybersecurity legislation enactment will come to an end this year.
"The Senate has been toying with FISMA reform since 2009, and it hasn't gotten out of the Homeland Security and Governmental Affairs Committee," says former Energy Department Chief Information Security Officer Bruce Brody and former chief cybersecurity strategist at CACI International, an IT and professional services company. "There doesn't appear to be any compelling reason this year to assume that Congress is actually going to make something useful happen."
Paul Rosenzweig, a former DHS deputy assistant secretary for policy who serves as a senior adviser to the security consultancy Chertoff Group, says Congress' legislative calendar works against passage of cybersecurity legislation. "2014 does seem to be different in that the bills are less comprehensive and therefore more likely to garner broad support," he says. "But time is not on their side."
Passing legislation is always difficult during an election year. But James Lewis, director and senior fellow at the Center for Strategic and International Studies, a Washington think tank, sees a possible window of opportunity. "Information sharing and FISMA reform have a chance," Lewis says. "Both have been in play a long time and FISMA isn't controversial. Information sharing has a matching bill in the House. You might see them both in the lame duck session."
With Congress' failure to enact cybersecurity legislation, the Obama administration has acted on its own to take steps to secure the nation's and government's digital assets. In February, the White House issued its cybersecurity framework, a series of IT security best practices aimed at securing the IT of the nation's critical infrastructure (see The Evolving Cybersecurity Framework). In April, the administration issued a policy statement that says businesses sharing cyberthreat information with one another do not violate antitrust laws (see Feds OK Businesses to Share Cyberthreat Info) "Just focusing only on the legislation is probably is not really where we want to go entirely," White House Cybersecurity Coordinator Michael Daniel said in an interview with Information Security Media Group earlier this year (see Top Obama Adviser Speaks Mind on Cyberthreats). "What we want to look at is what we can do to improve information sharing short of requiring legislation."
Using its executive powers, the Obama administration is implementing many of the provisions in FISMA reform legislation, such as the continuously security monitoring of departmental and agencies' IT systems.