A bill to shift cybersecurity to White House

Two senators plan to increase Washington's emphasis on cybersecurity by moving responsibility from Homeland Security and allowing "critical" networks to be disconnected.

Stephanie Condon Staff writer, CBSNews.com
Stephanie Condon is a political reporter for CBSNews.com.
Stephanie Condon
4 min read

Forthcoming legislation would wrest cybersecurity responsibilities from the U.S. Department of Homeland Security and transfer them to the White House, a proposed move that likely will draw objections from industry groups and some conservatives.

CNET News has obtained a summary of a proposal from Senators Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) that would create an Office of the National Cybersecurity Advisor, part of the Executive Office of the President. That office would receive the power to disconnect, if it believes they're at risk of a cyberattack, "critical" computer networks from the Internet.

"I regard this as a profoundly and deeply troubling problem to which we are not paying much attention," Rockefeller said a hearing this week, referring to cybersecurity.

Giving the White House cybersecurity responsibility was one of the top recommendations of a commission that produced a report last year to advise President Obama on cybersecurity issues. However, the Homeland Security Department, which currently has jurisdiction over cybersecurity, has insisted the reshuffling of duties is not needed.

Given the enormity of cybersecurity threats, the responsibility is a natural fit for the White House, said James Lewis, a director and senior fellow at the Center for Strategic and International Studies, which issued last year's commission report.

"The Obama administration has an adviser on energy and climate change, and that's good and important," Lewis said, "but we're still in the mode that cyber is less important."

While the bill is still in draft form and thereby subject to change, it would put the White House National Cybersecurity Advisor in charge of coordinating cyber efforts within the intelligence community and within civilian agencies, as well as coordinating the public sector's cooperation with the private sector. The adviser would have the authority to disconnect from the Internet any federal infrastructure networks--or other networks deemed to be "critical"--if found to be at risk of a cyberattack.

The private sector will certainly speak out if this provision is included in the final draft of the bill, a member of the technology industry who spoke on condition of anonymity said.

"You can be assured that if that idea is put into legislation we would certainly have views on it," he said. "It's not trivial."

While the person did not take a stance on whether the White House is the appropriate place to put cybersecurity jurisdiction, he said, "cybersecurity is a cross-cutting issue, across all government agencies, so leadership at the top is useful."

The bill could also make the proposed cyber adviser responsible for conducting a quadrennial review of the country's cybersecurity program, as well as for working with the State Department to develop international standards for improving cybersecurity.

The draft version of the bill also establishes a clearinghouse for the public and private sectors to share information about cyberthreats and vulnerabilities. It also creates a Cybersecurity Advisory Panel consisting of outside experts from industry, academia, and nonprofit groups to advise the president.

Because many federal contracting officers do not currently include security provisions into federal procurements, the bill could also establish a "Secure Products and Services Acquisitions Board" to review and approve all federal acquisitions.

At Thursday's hearing, Edward Amoroso, AT&T's senior vice president and chief security officer, said the federal procurement process "needs to be upgraded to implement sufficient security protections."

Some industry groups are warning, however, that adding customized requirements to the government's procurement process may inhibit the government's ability to take advantage of the innovations and cost benefits available from commercial technology.

"Simply put, the government cannot reach its security goals by compromising its access to commercial solutions and processes, nor can it technologically or financially afford it," the Business Software Alliance wrote in a memo to Melissa Hathaway, the acting senior director for cyberspace at the White House National and Homeland Security Councils, who is conducting a 60-day review of cybersecurity programs for President Obama. "Rather than imposing overbroad security requirements, government needs to be selective and limit them to high-criticality systems."

The bill may also subject both government and private sector networks to cybersecurity standards established by the National Institute of Standards and Technology. It may also provide for a professional licensing and certification program for cybersecurity professionals.

The senators also want to create greater general awareness of the importance of cybersecurity, so the legislation would expand scholarships for students studying cybersecurity, create an annual cybersecurity competition and prize for students, and initiate a cybersecurity awareness campaign. It would also increase cybersecurity research and development funding for the National Science Foundation.

Lewis said he is very pleased with the Senate's work on this bill so far.

"Having a knowledgeable and powerful group of senators that are willing to pick up the ball and run with it is really encouraging," he said.

Given the broad nature of the legislation--which spans intelligence and homeland security issues, as well as commerce issues--Rockefeller may have to work with the leaders of the Senate Homeland Security Committee and other leaders in the Senate to shape the final version.

An industry insider said, though, that Rockefeller's previous experience chairing the Select Committee on Intelligence will improve the bill's chances of advancing.

"His personal credibility and experience allow him to play a role that another chairman might necessarily have been able to play," the source said.