|
DHS Reluctant to Embrace Cybersecurity Bill |
|
|
|
|
by Mickey McCarter
|
|
Wednesday, 16 June 2010 |
Stance of top cybersecurity official surprises Senators
The top cybersecurity official at the Department of Homeland Security (DHS) gave an unexpected cold shoulder to the sponsors of a new Senate bill to codify the powers of the President and DHS in the event of a cyber emergency at a hearing Tuesday.
Philip Reitinger, deputy undersecretary of National Protection and Programs, largely did not comment directly on provisions to set up an Office of Cyber Policy in the White House and a National Center for Cybersecurity and Communications (NCCC) at DHS as prescribed in the Protecting Cyberspace as a National Asset Act of 2010 (S. 3480).
Instead, Reitinger defended existing authorities, such as Section 706 of Communications Act, as forming a basis for emergency authority in the event of a cyber attack.
Susan Collins (R-Maine), ranking member of the Homeland Security and Governmental Affairs Committee, attacked the Communications Act as outdated and imprecise, noting that it was passed in January 1942, decades before the development of the Internet.
The Communications Act grants very broad authority to the President and disregards the current state of US critical infrastructure, Collins argued. The President can only exercise such authority when a certain threshold is met for a state of war or the threat of war.
As such, the Communications Act cannot provide the flexibility necessary to respond to a serious attack that targets infrastructure below that threshold, Collins said.
Reitinger responded that the Communications Act is only one such authority the Obama administration would rely upon to confront a cybersecurity emergency. Although he acknowledged that collectively the authorities are old and not specifically designed to deal with today's information technology, the administration would prefer to see an alignment of current authorities rather than the creation of new law.
Collins insisted that the executive branch needed an explicit authority to respond to a cyber crisis. The Protecting Cyberspace Act--co-sponsored by Collins, Joseph Lieberman (I-Conn.) and Tom Carper (D-Del.)--would spell out those authorities, require the President to inform Congress of White House actions, and limit emergency powers with automatic expiration dates.
The bill also would prevent the federal government from taking control of private networks although it would empower the White House to quarantine limited private infrastructure to contain a cybersecurity threat.
"We can't wait; the hackers aren't waiting; 1.8 million attacks per month are occurring now," Collins demanded.
She also revealed that a DHS inspector general (IG) report set for release Wednesday would conclude that the US Computer Emergency Response Team (US-CERT) lacks the authority required to ensure federal agencies comply with its guidance.
US-CERT further lacks the authority to compel agencies to deploy technology or monitor attacks in real time, according to the IG report.
Collins emphasized that the Protecting Cyberspace Act would correct those deficiencies.
Reitinger did not respond directly to the argument, but he defended DHS as having broad authority to set cybersecurity requirements. While DHS does not have direct enforcement authority over other agencies, it can work through the White House to ensure compliance with cybersecurity guidelines, he said.
Lieberman expressed surprise that Reitinger would not endorse a clear statement of the authority of the President during the time of a cybersecurity crisis. The chairman of the homeland security committee indicated that he did not see the authority, for example, to protect the electric grid by isolating parts of it or ensuring its resiliency during a cyber attack on the electric industry in any law.
Reitinger again declined to comment on how federal authorities should come together to address such a threat, saying "predictions on vagrancies of the interagency process are beyond my competence."
Despite the absence of an official administration position on the bill, Reitinger did praise the concept of an all-hazards approach to homeland security threats, including cyber attacks. To that end, he approved of the bill's inclusion of a deputy director for physical infrastructure in the proposed NCCC.
DHS increasingly finds ways to collocate and coordinate cyber and physical infrastructure and separating the two would be a mistake, Reitinger stated.
The bill also would provide funding and resources for red-teaming and blue-teaming federal networks modeled after testing for cybersecurity vulnerabilities conducted by the National Security Agency (NSA), where the agency simulates enemy (red team) and friendly (blue team) forces to attack and defend IT networks.
But DHS currently relies on NSA technical assistance and leverages its capabilities, Reitinger said. Although DHS has yet to fully develop the capability for red-team and blue-team training scenarios, the department's fiscal 2011 budget proposal provides resources to start developing those capabilities. In doing so, DHS would fully coordinate with NSA and rely upon its experience with the exercises.
Reitinger defended other DHS cybersecurity activities, noting that the Quadrennial Homeland Security Review (QHSR) released in February elevated cybersecurity to one of the top five missions for homeland security stakeholders.
In 2009, DHS expanded its cybersecurity workforce in its Office of Cybersecurity and Communications from 35 to 118 personnel, Reitinger noted. In 2010, DHS seeks to more than double the workforce once again.
The department also continues the rollout of the Einstein 2 intrusion detection service ahead of schedule, currently deploying it to 11 of 19 designated federal agencies. Einstein 2 will reach all of its federal recipients by the end of the fiscal year, Reitinger predicted.
Undaunted by Reitinger's resistance to the bill, Lieberman and Collins vowed to mark up their bill next week. Lieberman requested an official administration position on the bill by that time.
|
Mickey McCarter |
| About the author: |
| eNewsletter Editor/Senior Washington Correspondent,
is a journalist with more than a decade of experience in reporting
on
military affairs and information technology.
|
| Read More >> | |
Columns 
