Cybersecurity Concerns Lead to House Support for Senate Leiberman-Collins-Carper Cybersecurity Bill
U.S. House of Representatives’ Committee
Homeland Security (“HSC”) held a Wednesday morning hearing on
“Cybersecurity: DHS’s Role, Federal Efforts and National Policy.”
Archived video of the hearing is available
Media). A single panel appeared
Schaffer, Assistant Secretary, Cybersecurity and
Department of Homeland Security (“DHS”)
Skinner, Inspector General, DHS
Wilshusen, Director, Information Technology,
Accountability Office (“GAO”)
Baker, Partner, Steptoe & Johnson, LLP
hearing showed bi-partisan support for the recently introduced Senate
cybersecurity bill. On June 10,
2010, Sens. Joseph Lieberman (ID-CT), Susan Collins (R-ME), and Thomas
(D-DE) introduced the Protecting Cyberspace as a National Asset Act of
(S.3480). Reps. Jane Harman
(D-CA), chair of HSC’s Intelligence,
Sharing and Terrorism Risk Assessment Subcommittee, and Peter
King (R-NY), HSC’s Ranking Member, both indicated support for the Senate
and said they planned to introduce a similar bill in the House. Rep.
Charles Dent (R-PA) also expressed
G. Thompson (D-MS) discussed current Department of Homeland
(“DHS”) cybersecurity deficiencies and urged DHS to work with state,
tribal governments, as well as the private sector, to ensure protection
national cyber infrastructure. Schaffer
noted that improving cybersecurity is one of DHS’s top five mission
sees DHS, and particularly the U.S. Computer Emergency Readiness Team
(“US-CERT”), as coming a long way since 9/11, but feels a lot more needs
done, especially concerning five issues: (1) the program is still under
same leadership; (2) money was not in place to start building
2010; (3) DHS lacks any mechanism to enforce recommendations; (4) DHS
remember that it’s not in this alone and can partner with the private
and other federal agencies; (5) DHS should improve outreach efforts,
education and training. Wilshusen
noted that some GAO recommendations were being implemented, but DHS
do more. Similarly, Baker,
acknowledged that DHS is acting, but it is not acting quickly enough and
needs more authority to adequately protect the nation’s cyber
its questioning of the panelists, the HSC raised several concerns with
security in place for the nation’s cyber infrastructure. The panelists
could not be sure of how
many times federal systems were attacked on a daily basis, nor to what
percentage such attacks were being deterred, but Schafer noted that
showed 278,000 malicious acts (not all of which were necessarily
the perimeter of federal networks.
In response to Rep. Smith’s asking the panelists to compare the private
and federal sector’s abilities to deter malicious activity, Baker
private sector has a stronger system in place as the federal sector was
starting to implement programs that detect, but not reject, malicious
activity. Further, the panelists
noted uncertainty as to who or what agency would take charge in the case
cyber attack also troubled HSC members.
Wilshusen also expressed doubt when
Rep. Dan Lungren (R-CA) asked whether DHS was doing the best it could
personnel, funding and authority it has right now. Instead, he feels
protective mechanisms do exist, but often
remain unimplemented and employees remain untrained in how to use them.
Wilshusen also guestimated that DHS had implemented only approximately
percent of the GAO’s recommendations contained in its March 10, 2009 “National Cybersecurity
staffing served as another recurring concern throughout the hearing.
Schaffer noted the difficulties
inherent in trying to find people to fill open spots. The positions
US-CERT is trying to fill require highly
qualified, and thus highly competitive, hires. Rep. Zoe Lofgren (D-CA)
emphasized the importance of getting
appropriately qualified people to fill DHS staffing requirements and
the use of contractors to have access to more competitive hires who may
even consider applying for a lower paying federal job.
and civil liberties remained muted issues until Rep. Jane Harman (D-CA)
them during her comments and questions.
Rep. Harman emphasized that, while we must protect our cyber
infrastructure, we must not overprotect it at the cost of losing privacy
civil liberties. When asked where
privacy and civil liberties fit into the equation, Schaffer noted that
consideration of civil liberties is critical in forming programs at DHS.
Skinner confirmed that DHS takes into
account civil rights and civil liberties when implementing programs.
Baker acknowledged that mechanisms to
deal with privacy should be in place, but such mechanisms should act
as to not hang up important implementations of the protective measures.
final recurring theme of the hearing was DHS authority. The panelists
expressed concern over
DHS’s lack of authority to enforce other agencies to follow its
explained that, when DHS sees an attack, it provides information about
attack to the effected agency, provides ways to stop the attack, and
the agency to understand and implement any processes to address the
attack. However, if the agency
does not want to implement the recommended measures, DHS cannot force
them. As Baker later went on to
explain, it is difficult to tell an agency it must implement computer
protection software as doing so will cost money. The Chairman closed the
hearing asking all four panelists
whether DHS needs more authority.
Schaffer explained that he could not comment, but the remaining three
all answered affirmatively.