WH Hopeful on Cyber Legislation PassageSenior Administration Official Shares Thoughts in Private Chat
Hope springs eternal at the White House, at least when it comes to Congress passing meaningful cybersecurity legislation, something it hasn't done in 11 years.
See Also: Passwords Alone Aren't Enough
"I continue to be optimistic that we can, through continued engagement with Congress, figure out a way to get meaningful cybersecurity legislation passed," says a senior Obama administration official in a conversation we had on Aug. 13. We spoke on background, meaning the executive would not be identified by name or title.
There are a lot of members up there that are invested heavily in this area and I think that still leaves us room to maneuver.
But the administration policymaker says getting Congress to enact cybersecurity legislation won't be easy. "We'll figure out a way to get there," the official says. "It may be less direct and a little more bumpy than we would have originally liked, but I think ultimately we can get some legislation that will make a meaningful difference and improve our cybersecurity."
White House Legislative Lineup
What would be on the administration's legislative agenda? Three bills come to mind: legislation to encourage government and industry to share cyber-threat intelligence; reform of the Federal Information Security Management Act, the law that governs federal government IT security; and more transparency in intelligence-gathering programs that would enhance civil liberties and privacy protections.
The Republican-controlled House has passed one of those bills - the Cyber Intelligence Sharing and Protection Act, known as CISPA - in April [see House Handily Passes CISPA]. But the measure to promote cyber-threat information sharing has stalled in the Senate-controlled Senate over a presidential veto threat [see White House Threatens CISPA Veto, Again]. The administration supports many provisions in CISPA, but objects to two major aspects of the legislation: broad liability protection offered businesses that share cyber-threat information, and failure to compel businesses to minimize personally identifiable information shared with the government.
"Obviously, it needs to have enough [liability protection to] influence behavior, but it needs to be scoped narrowly so it doesn't have a lot of unintended consequences," the official says. "Companies should have to minimize the amount of identifiable information in any sharing they do with the government."
Acknowledging DHS's Cybersecurity Role
FISMA was enacted as part of the E-Government Act of 2002, and using his executive powers, President Obama has granted the Department of Homeland Security greater authority to govern IT security among civilian agencies. That's one reason the law must be updated. "When that statute was written, DHS didn't really exist," the administration policymaker says. "Giving greater clarity to DHS's role in that space would be very helpful."
FISMA requires federal agencies to regularly file a checklist of IT security practices that supposedly shows they comply with the law. Few IT security experts believe these reports demonstrate the systems are truly secure. Over the past few years, agencies have begun to implement continuous diagnostics, formerly known as continuous monitoring, that automatically checks to see if systems are secure. The administration sees the paper reporting system, which is still the law, as less reliable and a waste of money. "We don't want to tie up resources to producing those," the official says, providing another reason to reform FISMA.
Obama last week outlined a four-part plan to bring more transparency to the way the U.S. intelligence community surveils American citizens, which includes the appointment of a tony panel to make recommendations [see Obama Seeks to Limit the Insider Threat]. Any legislation to place limits on the e-spying isn't expected to come until after the panel reports in mid-December.
Heavily Invested in Cybersecurity Reform
White House legislative offerings likely will not be the comprehensive packages proposed during President Obama's first term. "We will look at all the different ways we can put pieces of legislation together," the official says. "It may not come out as one giant, sweeping piece of cybersecurity legislation. We would be okay with that."
An aim by lawmakers on both sides of the aisle to get cybersecurity legislation enacted drives the administration official's cautious optimism that deals can be reached.
"There are a lot of members up there that are invested heavily in this area, and I think that still leaves us room to maneuver," the official says. "It's always difficult to predict how things will go. I've been in Washington, D.C., long enough to avoid making predictions about Congress. But I do believe that we still have a window of opportunity, and from the administration's perspective, we're going to continue our press to get legislation."