Congress to industry: 'We need your help'
Connecting state and local government leaders
A lack of information and expertise on the part of legislators can hamper effective cyber security legislation, says one House lawmaker.
SAN FRANCISCO'Making national cybersecurity policy is an always difficult and often thankless task, the director of a House subcommittee told an audience Wednesday at the RSA Security conference.
'One of the things that make cybersecurity difficult is that there are a lot of mixed messages out there,' said Jacob Olcott of the House Homeland Security Subcommittee on Emerging Threats, Cyber Security, and Science and Technology. Some see the threat of cyberterrorism as a reality, and others think dire pronouncements are overblown. 'There is a lot of disagreement about what, exactly, we're dealing with.'
And there is a confusing amount of overlap in congressional oversight of the subject, Olcott said. Who is in charge of cybersecurity? 'Everybody and nobody.'
Committee jurisdictions are spelled out by House rules issued for every Congress, but the rules do not specifically mention cybersecurity. Vying for authority ' in addition to the Homeland Security Committee ' are the Government Reform Committee, which wrote and is rewriting the Federal Information Security Management Act; the Intelligence and Armed Forces committees; the Energy and Commerce Committee; and the Judiciary Committee, which is considering cybercrime legislation. And, Olcott said, 'every other committee in the House that oversees an agency would probably claim jurisdiction over that agency's network.'
Conflicting priorities and approaches can make it difficult to get anything done.
'Writing and passing legislation is never as easy as 'School House Rock' would make it appear,' Olcott said.
Olcott's subcommittee has taken an aggressive stance on cybersecurity, holding a series of hearings on the subject and investigating the penetration of a number of government networks from which information appears to be funneled to Chinese-language servers. The result has been a heightened awareness of network security issues within government and efforts to hold agency chief information officers and chief information security officers accountable for breaches. One result has been a requirement in a DHS Transportation Security Agency network procurement that the security operations center be operated separately from the network, giving a greater degree of independence.
But a lack of information and expertise on the part of legislators can hamper effective legislation.
'Some of our members don't even use computers,' Olcott said. 'They have some discomfort talking about technology.'
Fortunately, the subcommittee approaches cybersecurity as a management issue rather than a technology issue, and much of the heavy lifting is done by committee staff members.
'It is the staff that actually writes the legislation,' he said.
Olcott said the committees needed input of industry to develop effective regulatory structures. He invited them to lobby their congressmen and ' more important ' the staff members. Lobbying and earmark appropriations are not necessarily bad things, he said, and industry can make positive contributions to the process.
Time is becoming tight for passing new legislation in the current Congress, and Olcott said it was unlikely that much, if any, of the legislative agenda many industry speakers have advocated at this week's conference will see the light of day.
'The 110th Congress is winding down,' he said. Industry would like to see a national data breach notification law replace the state laws now in place in addition to a cybercrime bill that would put some prosecutorial teeth into federal computer crime laws. 'I don't think there's much chance of either of these bills getting out of committee, let alone being heard on the floor,' Olcott added.
On the other hand, he cited two bills as having a chance of passage. The Government Reform Committee is updating the Federal Information Security Management Act to correct some problems with the government's primary information security regulation. 'I think there is a chance that passes,' he said. And his subcommittee is working on a DHS CIO authorization bill to correct problems identified in the department's CIO office.