White House Cybersecurity Plan Has Effective Provisions, But Other Provisions Needed, Lawmakers Say
The release of the White House proposed cybersecurity legislation is a very important step in protecting critical infrastructure, said Sen. Joe Lieberman, I-Conn., chairman of the Senate Homeland Security and Government Affairs Committee, at a hearing Monday. “If we don’t do something soon, the Internet is going to be a digital Dodge City,” he said. “Cyberspace is just too important in modern life for us to sit back and allow that to happen.” The White House plan is similar to the Cybersecurity and Internet Freedom Act he introduced in February, he said. “Where there are differences, I think we can work together to find agreement.” The cyber arena “is where the biggest gap exists between the threat level and vulnerabilities and our level of preparedness,” said ranking member Sen. Susan Collins, R-Maine. “Unfortunately, the government’s overall approach to cybersecurity has been disjointed and uncoordinated to date.” Comprehensive cybersecurity legislation is more urgent than ever, she said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Representatives from the Departments of Homeland Security, Justice, Defense and the National Institute of Standards and Technology said at the hearing that DHS should have a greater role in working with the private sector. The Obama administration’s framework “gives DHS much clearer authority and responsibility to work in a voluntary way with the private sector,” said Philip Reitinger, DHS deputy undersecretary. It also speeds information sharing “so that we can get much better data much more rapidly from the private sector,” he said. The proposed legislation “breaks down the barriers of information sharing so that stakeholders can communicate effectively,” said Robert Butler, DOD cyberpolicy deputy assistant secretary. It also updates and reforms criminal statutes, he added. Cyber intrusions “might create future access points through which criminal actors and other adversaries compromise critical systems during crisis,” said Jason Chipman, senior counsel to the deputy attorney general. The administration will make it clear that the Racketeer Influenced and Corrupt Organizations Act applies to computer crimes to stop criminal syndicates that operate around the world, he said.
Lieberman and Collins noted the similarities between the Obama administration’s plan and Lieberman’s legislation, but urged improvements in the White House plan. Both bills direct DHS to work cooperatively with the private sector and state and local governments to “share cybersecurity risk management best practice information,” Lieberman said. The plans also clear “the way for industry to share cybersecurity information without having to worry about running afoul of various privacy statutes that impede information-sharing,” he said. Both contain “robust privacy oversight to ensure that our broader cybersecurity efforts do not impact individual privacy or civil liberties,” he added. His legislation creates a White House Office of Cyberspace Policy with a Senate-confirmed leader. Stakes are so high that “whoever holds that position, should be confirmed by Senate and held accountable to Congress,” he said.
While Lieberman’s legislation clarifies the president’s authority to act in a true cyber emergency, the White House plan does not, they said. The legislation has “explicit provisions preventing the president from shutting down the Internet” and puts limits on the length of any emergency actions and includes privacy protections, Collins said. She asked the witnesses why the plan hasn’t carefully defined what the president’s authority should be and why the administration isn’t updating the Communications Act. “This is an area where we should be thinking ahead about exactly what authorities we want the President to have rather than … relying on a 1934 law that allows the President to take over control of radio stations,” she said. The witnesses said more discussion around reforming the Communications Act is merited.
The White House plan calls for the publication of evaluation results of the cybersecurity practices of critical infrastructure sites that are classified, Collins said. “My concern is we don’t want to give those who would do us harm a roadmap to how to attack our critical infrastructure,” she said. “This would be a list of entities, not specific assets,” Reitinger said. In that case, the list of critical infrastructure entities would need to be open in order to move forward, he said.