Republicans air doubts about White House cybersecurity plan


National Institute of Standards and Technology (NIST) senior policy adviser Ari Schwartz pushed back against Goodlatte's characterization, arguing the White House plan contains no technical mandates. 

The Obama administration is the first to issue detailed legislative language on cybersecurity, but officials have emphasized that their bill is a starting point and that they are open to working with Congress to hash out the details.

When associate deputy attorney general James Baker said as much at the hearing, Rep. Sandy Adams (R-Fla.) took the opportunity to emphasize that Congress will take the lead on any potential cyber bill.

“I’m happy that the agencies want to work with us on legislation that we’d be drafting, that’s a good thing," Adams said. "I would hate to think that you would think you can draft the legislation.”

Schwartz said the administration's approach would compel industry to participate in the creation of quantifiable security performance measures, with firms able to create their own security plans as long as they comply.

Goodlatte questioned whether the difference between technical mandates and performance measures was simply semantics, while Schwartz attempted to distinguish the two by emphasizing the metrics that would be used to evaluate the performance measures.

Rep. Darrell Issa (R-Calif.) questioned why DHS and not NIST would be responsible for helping create and enforce the security standards, arguing the Department of Commerce would be a more natural fit to regulate commercial firms like Facebook and Google. He labeled DHS "dysfunctional at times."

DHS assistant secretary for cybersecurity and communications Greg Schaffer replied that DHS has spent a considerable amount of time and effort on cybersecurity issues in the private sector in recent years and is home to much of the government's expertise in that area.

Schwartz said NIST would be available to help industry establish its security standards on a voluntary basis.