Cybersecurity Concerns Lead to House Support for Senate Leiberman-Collins-Carper Cybersecurity Bill

June 18, 2010

The U.S. House of Representatives’ Committee on Homeland Security (“HSC”) held a Wednesday morning hearing on “Cybersecurity: DHS’s Role, Federal Efforts and National Policy.” Archived video of the hearing is available here(Windows Media). A single panel appeared before HSC:

(1) Greg Schaffer, Assistant Secretary, Cybersecurity and Communications, Department of Homeland Security (“DHS”)

(2) Richard Skinner, Inspector General, DHS

(3) Gregory Wilshusen, Director, Information Technology, Government Accountability Office (“GAO”)

(4) Stewart Baker, Partner, Steptoe & Johnson, LLP

The hearing showed bi-partisan support for the recently introduced Senate cybersecurity bill. On June 10, 2010, Sens. Joseph Lieberman (ID-CT), Susan Collins (R-ME), and Thomas Carper (D-DE) introduced the Protecting Cyberspace as a National Asset Act of 2010 (S.3480). Reps. Jane Harman (D-CA), chair of HSC’s Intelligence, Information Sharing and Terrorism Risk Assessment Subcommittee, and Peter King (R-NY), HSC’s Ranking Member, both indicated support for the Senate bill and said they planned to introduce a similar bill in the House. Rep. Charles Dent (R-PA) also expressed support.

Chairman Bennie G. Thompson (D-MS) discussed current Department of Homeland Security (“DHS”) cybersecurity deficiencies and urged DHS to work with state, local and tribal governments, as well as the private sector, to ensure protection of national cyber infrastructure. Schaffer noted that improving cybersecurity is one of DHS’s top five mission goals. Skinner sees DHS, and particularly the U.S. Computer Emergency Readiness Team (“US-CERT”), as coming a long way since 9/11, but feels a lot more needs to be done, especially concerning five issues: (1) the program is still under the same leadership; (2) money was not in place to start building infrastructure until 2010; (3) DHS lacks any mechanism to enforce recommendations; (4) DHS must remember that it’s not in this alone and can partner with the private sector and other federal agencies; (5) DHS should improve outreach efforts, such as education and training. Wilshusen noted that some GAO recommendations were being implemented, but DHS still must do more. Similarly, Baker, acknowledged that DHS is acting, but it is not acting quickly enough and it needs more authority to adequately protect the nation’s cyber infrastructure.

Throughout its questioning of the panelists, the HSC raised several concerns with the security in place for the nation’s cyber infrastructure. The panelists could not be sure of how many times federal systems were attacked on a daily basis, nor to what percentage such attacks were being deterred, but Schafer noted that Einstein II showed 278,000 malicious acts (not all of which were necessarily successful) at the perimeter of federal networks. In response to Rep. Smith’s asking the panelists to compare the private and federal sector’s abilities to deter malicious activity, Baker thought the private sector has a stronger system in place as the federal sector was just starting to implement programs that detect, but not reject, malicious activity. Further, the panelists noted uncertainty as to who or what agency would take charge in the case of a cyber attack also troubled HSC members.
Wilshusen also expressed doubt when Rep. Dan Lungren (R-CA) asked whether DHS was doing the best it could with the personnel, funding and authority it has right now. Instead, he feels protective mechanisms do exist, but often remain unimplemented and employees remain untrained in how to use them. Wilshusen also guestimated that DHS had implemented only approximately 30-40 percent of the GAO’s recommendations contained in its March 10, 2009 “National Cybersecurity Strategy” report.

US-CERT staffing served as another recurring concern throughout the hearing. Schaffer noted the difficulties inherent in trying to find people to fill open spots. The positions US-CERT is trying to fill require highly qualified, and thus highly competitive, hires. Rep. Zoe Lofgren (D-CA) emphasized the importance of getting appropriately qualified people to fill DHS staffing requirements and supported the use of contractors to have access to more competitive hires who may not even consider applying for a lower paying federal job.

Privacy and civil liberties remained muted issues until Rep. Jane Harman (D-CA) raised them during her comments and questions. Rep. Harman emphasized that, while we must protect our cyber infrastructure, we must not overprotect it at the cost of losing privacy and civil liberties. When asked where privacy and civil liberties fit into the equation, Schaffer noted that consideration of civil liberties is critical in forming programs at DHS. Skinner confirmed that DHS takes into account civil rights and civil liberties when implementing programs. Baker acknowledged that mechanisms to deal with privacy should be in place, but such mechanisms should act quickly so as to not hang up important implementations of the protective measures.
A final recurring theme of the hearing was DHS authority. The panelists expressed concern over DHS’s lack of authority to enforce other agencies to follow its recommendations. Schaffer explained that, when DHS sees an attack, it provides information about the attack to the effected agency, provides ways to stop the attack, and works with the agency to understand and implement any processes to address the attack. However, if the agency does not want to implement the recommended measures, DHS cannot force them. As Baker later went on to explain, it is difficult to tell an agency it must implement computer protection software as doing so will cost money. The Chairman closed the hearing asking all four panelists whether DHS needs more authority. Schaffer explained that he could not comment, but the remaining three panelists all answered affirmatively.

Related Articles

CCIA Whitepaper Identifies National Security Risks Posed By House Bills Targeting U.S. Tech Companies

Sep 13, 2021

Washington — The Computer & Communications Industry Association has released a white paper on the national security implications of several House-passed bills aimed at a handful of U.S. tech companies as they compete with foreign companies. These bills were introduced in June 2021 and were marked up without legislative hearings or input from stakeholders, particularly…

New EU Cybersecurity Rules Should Promote Security Mitigation, Avoid Compliance Red Tape

Dec 16, 2020

Brussels, BELGIUM — The European Commission published today a legislative proposal to update the 2016 Network and Information Security Directive.  The proposal aims to reduce regulatory inconsistencies across the EU’s internal market and it encourages security information sharing to help companies effectively address future cybersecurity risks. But the proposal also suggests that cloud computing providers,…

CCIA Offers European Commission Comments On Data Transfer Method

Dec 11, 2020

CCIA submitted comments to the European Commission on the draft new Standard Contractual Clauses (‘SCC’) to transfer data outside of the EU. CCIA believes this transfer tool will pave the way towards greater legal certainty for most data transfers outside the European Union. However, the tool could still be made more practical for companies to…