The co-author of legislation in the Senate that would leave the creation of cyber security standards and their enforcement to the private sector entities that have to implement them doesn’t appear to be inching toward a compromise with his colleagues that have introduced a cyber bill that would give the Department of Homeland Security (DHS) authority to set and enforce minimum security standards.
Amid calls from his some of his colleagues as well as current and former national security officials to get cyber security legislation passed quickly, Sen. John McCain (R-Ariz.) said on Wednesday that he has learned in his 25 years in Congress that the “first thing we should observe” is “first do no harm.”
McCain said that “So when you say do something, one thing we should not do is not get it right. And one of the things we should not get right is giving the Department of Homeland Security authority to issue a blizzard of regulations unchecked and unmonitored.”
Pointing to what he said is the basically the same aviation checkpoint procedures that have been in place and operated by the Transportation Security Administration since right after 9/11, McCain said his “confidence in the Department of Homeland Security to be the lead agency [for cyber security is extremely limited.”
Earlier this week, the head of the nation’s military cyber operations and defenses urged Congress to move forward with cyber security legislation that creates an environment in which the owners and operators of critical infrastructure—which is largely within the private sector—immediately notify the government when they are under a cyber attack (Defense Daily, July 10). Army Gen. Keith Alexander didn’t take sides with a particular piece of legislation but said the government needs to know of attacks in real-time.
During a hearing on Wednesday hosted by the Senate Homeland Security and Governmental Affairs Committee that explored evolving and emerging threats facing the homeland, Michael Hayden, a former director of both the National Security and Central Intelligence agencies, said of the various pieces of cyber legislation floating around Congress said, “I’d do it all. I don’t view these fundamentally to be competing bills. I’d get NSA on the field. I’d try to get standards into our critical infrastructure.”
Hayden also said that he supports a bill approved in the House in April that requires the intelligence community to share cyber threat information with the private sector (Defense Daily, April 30). All of these bills “are steps in the right direction” and can always be adjusted in the next one to three years if necessary, he pointed out.
Legislation putting DHS in charge of establishing and enforcing minimum security standards for the nation’s critical infrastructure was crafted by Senators Joseph Lieberman (I/D-Conn.) and Susan Collins (R-Maine), the chairman and ranking members of the Senate committee. Lieberman said that Hayden’s testimony and that of other witnesses to the effect that the cyber threat will only get worse in the coming years points to the need to “thoughtfully” creating and passing a bill in Congress this year rather than in response to attack, which will result in a law that isn’t thought out.
Lieberman’s committee held a second round of hearings yesterday that focused on the evolving role and missions at DHS. Lieberman, who will be retiring from the Senate at the end of 2012, hopes these, and additional hearings he has planned, help guide the committee’s future leadership on dealing with DHS as it faces a more complex threat environment in the face of flat to declining budgets.
In his opening remarks yesterday, Lieberman highlighted a number of successes and positive trends at DHS in the past decade but said its biggest internal challenges mainly have to do with management issues. He said that the operational components need to be better integrated with each other and the department headquarters, and pointed in particular to DHS’ struggles in establishing requirements and then marrying these to acquisition programs that “stay on track.”
Richard Skinner, the former Inspector General at DHS who now is an independent consultant, testified at the hearing that when the department was created that core infrastructure of human resources, financial and information technology management was overlooked and “we’ve been digging ourselves out of a hole ever since.” These functions create the platform on which the rest of DHS operates, he said.
The reasons for the management troubles are both budgetary and cultural, Skinner said. He said that while gains were made in financial management in 2011, they are threatened by budget cuts in 2012.
Thad Allen, the former Coast Guard Commandant who is now with Booz Allen Hamilton [BAH], testified on Thursday the core management functions suffered in the haste to create DHS in 2002 and 2003. The legacy agencies were brought together with different processes and support structures and that little has changed.
“And because of that a lot of the resources associated with how you actually…need to run the department rest in the components and still do today,” Allen said. “We still carry the legacy of that moving forward.”