The White House and Senate appear to be in agreement on both the urgency and broad outline of cybersecurity legislation; at a classified meeting earlier this month Obama administration officials stressed the need to pass legislation to update federal standards this year.
White House cybersecurity coordinator Howard Schmidt called the meeting "very encouraging" in a blog post published Friday emphasizing the urgent need for new federal cybersecurity regulations to cover private sectors deemed critical such as utilities, communications providers and financial institutions.
"Unfortunately, time is not on our side. Since the White House delivered the Administration’s proposal to Congress, a number of new security breaches have been reported," Schmidt said. "We need Congressional leaders to move forward with a cross-committee and bipartisan approach."
But House Republicans appear resistant to the regulatory approach favored by Democrats and the White House, which would embrace a broader definition of critical infrastructure and give the Department of Homeland Security more authority to force private firms to comply with federal cybersecurity standards.
The GOP unveiled their own recommendations for comprehensive cybersecurity legislation recently that favor incentives and information-sharing over government mandates. They also restrict the new rules to nuclear power, water treatment faciliites and other high-regulated sectors.
Langevin said his reaction to the Republican proposal was generally positive and suggested there is room for compromise between the two parties, particularly since there is bipartisan support for legislation that would allow firms to share more information on cyber threats without incurring legal liability.
While Langevin feels some form of regulation will be necessary for critical infrastrucuture providers, he said an information-sharing bill would constitute progress, especially considering how little attention cybersecurity received as a policy issue just a few years ago.
"Four years ago when I first started with this issue, it was not something that was widely thought about or written about," Langevin said. "The process was just beginning....as a country we were just waking up to the fact we were getting hacked and penetrated at an unacceptable level."
Langevin is particularly concerned about securing the electric grid, where he believes the potential for cyber attacks to create physical damage is greatest. He pointed to the development of more sophisticated viruses such as Stuxnet as evidence the threat is increasing.
He also stressed the need for the administration and military to define what constitutes an attack and what the appropriate response would be, echoing the concerns of Senate Armed Services chairman Carl LevinCarl LevinDevin Nunes has jeopardized the oversight role of Congress Ted Cruz wants to destroy the Senate as we know it A package proposal for repatriation MORE (D-Mich.)
"That may remain classified, but it has to be fleshed out," Langevin said. He said right now it would be considered an act of war in a broad sense if a cyberattack causes a loss of life and said that would likely be a guideline used by the industry, though he has no personal knowledge of their stance on the issue.
Langevin also suggested the rules on what would constitute a cyber attack or act of war should be worked out through international organizations like United Nations and NATO, perhaps through an international agreement similar to the Geneva Convention.
He voiced opposition to have the military overly involved in private sector or civilian cybersecurity beyond providing support to DHS, citing privacy and civil liberties concerns.