By Gautham Nagesh - 06/29/10 02:33 PM EDT
A bill co-sponsored earlier this month by Sens.
Joe Lieberman (I-Conn.), Susan Collins (R-Maine), and Tom Carper
(D-Del.) that recently passed the Senate Committee on Homeland Security and
Governmental Affairs would put the Department of Homeland Security in
charge of securing both civilian federal networks as well as private
sector assets deemed critical to national security, such as power
companies and financial institutions.
Senators including John McCain (Ariz.) and Kit Bond (Mo.) have argued
DHS is poorly suited to lead on cybersecurity because it already has
too much on its plate. Bond introduced his own bill last week with Sen. Orrin Hatch (R-Utah) that would create a federal cybersecurity coordinator in the Department of Defense who reports directly to the president.
A spokesperson for Lieberman responded to the criticisms by pointing out DHS already has responsibility for guarding federal civilian networks but lacks the authority to protect them. She also argued that putting the Pentagon in charge of civilian cybersecurity "would be inappropriate."
"DHS’s mission and expertise are precisely tailored for protecting cyber networks and assets," said Lieberman communications director Leslie Phillips. "DHS, of course, will draw on the expertise of NSA and perhaps even DoD’s Cyber Command for technical assistance, just as it will call on the White House for leadership and strategic direction. But the operational lead should not only be a civilian agency but an agency that already is charged with protecting federal civilian networks and that has expertise in critical infrastructure."
The role of the White House in overseeing cybersecurity is another topic of much debate. Both bills give operational authority to a presidentially appointed, Senate-confirmed cybersecurity coordinator located outside of the White House. The goal is to preserve congressional oversight over cybersecurity; according to Lieberman, current White House cybersecurity coordinator Howard Schmidt has refused to testify in front of the Senate Homeland Security Committee, citing executive privilege.
The Lieberman-Collins-Carper bill also gives the president emergency authority to shut down private sector networks in the event of a cyber attack. That provision has attracted widespread criticism from privacy advocates, who claim it amounts to giving the president a "kill switch" over the Internet. Collins has said the president already has that authority under Section 706 of the Communications Act. Testimony by DHS under secretary Philip Reitinger earlier this month indicates the administration shares that view.
"The last thing the American people want is empowering this — or any other — administration the power to 'flip the switch' on the Internet," Bond said. "The government should first get our own cybersecurity house in order and work with the companies on the front lines of this war, not empower Big Brother."
The committee passed an amendment last week at the urging of Sen. Tom Coburn (R-Okla.) limiting the emergency authority by requiring congressional re-approval to keep networks shut down 120 days after the initial threat. The original language allowed the president or DHS to keep networks closed simply by asserting the threat still exists.
“Dr. Coburn believes no president should have unchecked authority over the Internet, including in matters of national defense," said Coburn spokesman John Hart. "Congress should always act as a check against any possible abuse of this power.”
The Homeland Security bill also gives DHS new authority to impose minimum security requirements on both federal agencies and critical private sector networks. Republicans worry these requirements could become burdensome mandates that prevent innovation and fail to adapt to threats as they develop, similar to the current Federal Information Security Management Act, which has been criticized for its focus on compliance rather than on actively monitoring network threats.
A Senate aide, who asked not to be identified, said the department needs the authority to fulfill its mission of protecting the government's networks, and cited a recent DHS inspector
as evidence. The aide said under the bill DHS will only have the authority to impose risk-based minimum requirements, not mandate how companies or agencies should protect their networks. The aide said critics of the provision are really opposed to any type of security requirements on private companies.
Another bill co-sponsored by Sens. Olympia Snowe (R-Maine) and Jay Rockefeller (D-W.Va.) would require companies to comply with cybersecurity practices established by the National Institute for Standards and Technology, part of the Commerce Department. Rockefeller and Snowe both sit on the Senate Commerce Committee; Rockefeller is the chairman.
Under the Bond-Hatch bill any private sector involvement would be
voluntary and free of minimum security requirements. Companies would be eligible to take part in a collaborative center at the Department of Energy where they could share information on security threats and best practices. Bond said any discussions within the center would not be subject to the Freedom of Information Act or antitrust regulations, to encourage companies to be forthright about the threats they face and how they are responding.