Senators vow action on cybersecurity, but divisions remain

"If there are certain areas that we can come to agreement on, then we should move those immediately and then come back to the other areas that we have to address," Ayotte said.

Both Republicans and Democrats said they hoped the recent release of President Obama's executive order would spur Congress to move forward on cybersecurity legislation and address the security gaps that remain. 

Sen. John Thune (R-S.D.) said the executive order "may provide an opportunity for Congress to find common ground on other steps that will improve our cybersecurity." 

For his part, Senate Homeland Security Chairman Tom Carper (D-Del.) told reporters following the hearing that he was open-minded to passing a smaller bill rather than a comprehensive one. 

"Let's assume for argument's sake there are four elements, and if we can take them separately and move them more quickly...then let's do it sequentially," Carper said. "On the other hand, if we can move a comprehensive package in a reasonably expedited way, I'd be for that. I'm for what works."

Rockefeller warned that passing a bill solely focused on improving information sharing about cyber threats between government and industry would be "wholly insufficient." He noted that some have argued that Congress should focus its efforts on passing a bill, such as the House's Cyber Intelligence Sharing and Protection Act, because both parties and chambers agree there needs to be better intelligence sharing about cyber threats.

During his line of questioning to the witness panel, Rockefeller attempted to poke holes in that argument and make the case for the a comprehensive cybersecurity bill. He said two things are "critical to a good bill": new practices and standards for critical infrastructure providers and programs to exapnd the pool of skilled cyber professionals. 

"We've got to do our full work this year," he said.

When asked by Rockefeller, Homeland Security Secretary Janet Napolitano said a cyber information-sharing bill doesn't go far enough to fully address the cyber threat facing the country. She also listed what she called "deficiencies" in the House bill.

Napolitano said the measure lacked sufficient privacy protections and noted that it put the National Security Agency (NSA) at the center of cyber intelligence sharing efforts. 

"There were no privacy protections built within it and it resided almost all of the cyber information monitoring responsibilities within the NSA, which of course is part of the military," Napolitano said.

Last year, Senate Republicans tried to push a cybersecurity bill that focused improving information sharing efforts about cyber threats, rather than creating a set of best practices and standards for firms to follow.

Napolitano urged lawmakers to put the measures included in the executive order in statute so they can be carried over to future administrations. She said cybersecurity legislation should also focus on updating the federal government's information security management program, increasing research and development in cybersecurity, and giving the Department of Homeland Security the ability to hire more cyber professionals.

"Information sharing is very, very important…but it is not the only concern we have in this arena," she said.

Patrick Gallagher, under secretary of commerce for standards and technology, echoed a similar point. He said companies need to have the proper cybersecurity measures in place before they can appropriately act on any threat intelligence information they receive from the government.

"I think cybersecurity doesn't lend itself to simple solutions," he said. "[Companies] have to have the capability to act on that information."

The successful implementation of the administration's cybersecurity executive order hinges heavily on industry participation and feedback. 

The order directs the Commerce Department's National Institute of Standards and Technology (NIST) to work with industry groups and companies to craft a set of cybersecurity best practices and standards for businesses to incorporate into their computer systems and networks.

Gallagher said Commerce expects to have "enormous participation" from industry.

But there is some criticism directed towards a section of the cyber order that calls on the Department of Homeland Security to lead a voluntary program where critical infrastructure firms would elect to follow NIST's cybersecurity best practices and standards. Some have questioned whether companies would actually participate in the program.

Napolitano said the administration is considering potential incentives — within the limits of the executive order — to entice industry to joint the program. Unlike congressional legislation, an executive order cannot grant new powers or authorities, such a liability protection to companies if they are hit by a cyberattack.

She said the administration is considering offering a "seal of approval" to companies who join the Homeland Security-led program and a "procurement preferences acquisition" process.

"The market in and of itself has not provided sufficient incentives yet for all businesses to voluntarily raise their [cybersecurity] standards," Napolitano said.

David Kepler, chief information officer of Dow Chemical Company, noted that the executive order did not cover information technology companies. He highlighted this carve-out and noted that companies that operate critical infrastructure use the software products that information technology companies manufacture.

"I hope this does't mean the IT sector gets a free pass," Kepler said.

This post was updated at 7:23 p.m.