Senate Dems want to go beyond cyber framework

Senate Democrats on Wednesday pushed back against the private sector’s praise of the White House’s voluntary cybersecurity framework for businesses, arguing Congress needs to do more.

“The voluntary program works as long as everybody is volunteering,” said Sen. Bill NelsonClarence (Bill) William NelsonDemocrats cool on Crist's latest bid for Florida governor Crist launches bid for Florida governor, seeking to recapture his old job The Hill's 12:30 Report - Presented by ExxonMobil - Trump, Cheney trade jabs MORE (D-Fla.), ranking member of the Senate Commerce Committee, during a hearing.


“I believe there needs to be greater government direction, legislative involvement, for the moment,” added Sen. Richard Blumenthal (D-Conn.).

The government’s standards-setting agency, the National Institute of Standards and Technology (NIST), developed the framework in response to a 2013 White House executive order. It’s intended to give companies a way to assess cyber vulnerabilities and defend against cyberattacks.

The Commerce Committee is considering passing additional data breach notification legislation this year. The measure, which Nelson recently introduced, would require companies to notify both customers and the government following a data breach. It would also task the Federal Trade Commission with creating and enforcing nationwide minimum data security standards.

Several industry group executives testified Wednesday that the framework is sufficient. They said it has helped members reshape their approach to cybersecurity, better understand their cyber risks and nimbly respond to threats.

“One of the best examples of a public-private partnership,” said Ann Beauchesne, vice president of the Chamber of Commerce’s National Security and Emergency Preparedness Department.

But with the rise in massive cyberattacks over the last year, several senators wondered just how effective the framework actually has been.

“How can you say that everything’s working, as you testified?” Nelson asked Beauchesne after listing several high-profile breaches — Home Depot, JPMorgan and Sony Pictures.

“The threat is evolving quickly,” Beauchesne said. And companies need the framework’s flexibility to respond to these rising threats, she said. “They want to protect their information.”

With the framework just a year old — the NIST released the first version in February 2014 — there are very few metrics to track adoption and effectiveness.

The NIST is working on to create these measures, said Charles Romine, director of the NIST’s Information Technology Laboratory.

“The amount of momentum is pretty striking, given that fact that it’s in its youth,” he said.

“The question is not how many folks are adopting the framework, but how effective it is,” said Sen. Gary Peters (D-Mich.). “I think the jury is still out. It’s still new.”

And the NIST is not necessarily the best-equipped agency to collect such effectiveness data, said Jim Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS).

Lewis said there are useful FBI statistics on how many companies it notifies each year about breaches, as well as intelligence community data on the success rate of foreign hackers that “would suggest we’re not doing so well.” The Commerce Department also collects some data, he said.

“Right now, there’s no lead federal government agency in terms of getting our arms around the problem?” Sen. Brian Schatz (D-Hawaii) asked.

“No, there is not,” Lewis replied.

Continued legislative inaction is letting the problem spiral out of control, Blumenthal said.

“The best and most immediate response is for the private sector to do more with the encouragement and incentives that the government can provide,” he said.

Blumenthal indicated he thinks legislative action is the only way to provide those incentives.

“We are susceptible now by choice,” he said.

In addition to Nelson’s data breach bill, some have wondered if the government will eventually make the NIST framework mandatory, despite NIST’s repeated insistence it will not do so.

“I think this program will remain voluntary until there are too many incidents to ignore,” Lewis said. “We’re approaching that.”