The Obama Administration talked up a collaborative, voluntary and stakeholder-driven cybersecurity best practices framework at a Senate hearing Wednesday, but also said Congress should legislate that voluntary framework.
That came in an unusual joint hearing between the Senate Commerce Committee and Homeland Security Committee on implementing the president's executive order establishing that voluntary framework.
Senators from both committees and on both sides of the aisle agreed that cyberattacks were a growing threat that needed a coordinated government response. Several senators said they thought there was a possibility for consensus legislation in this legislation -- attempts to do so failed in the last Congress.
But Rockefeller and the two administration witnesses, Department of Homeland Security Secretary Janet Napolitano and Patrick Gallagher of the National Institute of Standards and Technology, agreed that Republican-backed House legislation that dealt primarily with information sharing was not sufficient to address the problem. NSA is charged by the White House with facilitating and providing technical support for the industry-driven cybersecurity framework.
That House bill, which is backed by the National Cable and Telecommunications Association was reintroduced this session by Rep. Mike Rogers.
Napolitano said a "suite" of legislation was needed that would 1) incorporate privacy and civil liberties; 2) create information sharing standards; 3) provide additional tools to fight cybercrime; 4) create a data breach reporting requirement; and 5) give DHS hiring authority equivalent to the National Security Agency.
In his opening statement, Senate Commerce chairman Jay Rockefeller (D- W.Va.) said that an attack on a private company was the same as an attack on the entire nation when it involved critical infrastructure; melding up government and private interests was one of the things that made the cybersecurity issue a difficult one.
Sen. Mark Warner (D-Va.) said that he was concerned about a voluntary framework without some kind of legislative enforcement backstop because a company who did not volunteer could become an entry point for attacks on participants who were using those best practices. Warner said that given the increase in attacks, he said he saw some movement in the business community for having an enforcement mechanism.
Republican Sen. Tom Coburn (R-Okla.) praised the president's executive order, but also said he was concerned about the government role in securing cybersecurity given its own issues with protecting the government's computer systems.
Gallagher repeatedly emphasized that the voluntary cybersecurity framework created by the president's executive order was just that, and that he wanted industry to come up with that framework. Napolitano said that the government would use carrots rather than sticks for industry, including procurement and contract incentives for adopting standards.
Gallagher said the goal is to set standards, and have industry decide how best to do that. Napolitano said that to the extent that this is a national security interest and the government is leaving it to industry, that is a first, and a "grand and bold experiment," rather than a top-down government process as is usually the case with national security.
Gallagher suggested an added benefit of having the industry drive the framework is that the government sequester cuts would not have much effect on that process, as opposed to a government top-down process.
Asked why there seemed to be a shift in the industry, Napolitano suggested it was because the president involved them in the creation of the executive order itself, and because the administration did not stop work when the Democrat-backed bill failed in the last Congress.