With August recess and the end of the fiscal year looming, congressional leaders say they are focused on cyber security. They are focused on the private sector as they work to collaborate on legislation, which would bolster information sharing between the government and corporations. They are focused on the executive branch as they review the results of the White House’s 30-day “cybersecurity sprint.” But to truly address our cybersecurity vulnerabilities Congress must turn its focus within.
Consider three recent cybersecurity issues and Congress’ response. As the government has disclosed, the cyber attack on the Office of Personnel Management (“OPM”) compromised the personal information of over 21 million federal employees, contractors, and legislative leaders. Congress is now running a read and react playbook, scrambling to get movement on any cyber security bill. The most viable bill appears to be the cybersecurity Information Sharing Act (“CSIA”), which would bolster information sharing between the government and the private sector through liability protection. A good policy to implement however, it remains unclear what—if anything—the CSIA would do to prevent another cyber attack on the federal government. Furthermore, the CSIA is at best a piecemeal fix at a time when comprehensive reform is desperately needed.
Just last week, the Department of Defense requested a whopping $4.5 billion be reprogrammed in the wake of OPM attack. To put it in perspective, that amount is four times as much as the Department of Homeland Security (“DHS”) spends on cyber security in an entire year. It seems staffers will handle this reprogramming request, without the benefit of hearings and public debate. If so, taxpayer dollars will once again be thrown at the cyber problem without real scrutiny as to whether they will be used efficiently and effectively. This week brought the news that DHS’s political leadership—including the Secretary himself—may have exposed the Department to vulnerabilities by using personal e-mail accounts on government desktops. There is no indication that those in Congress charged with overseeing DHS knew top-level officials were being granted exemptions from the Department’s ban on the use of personal e-mail.
The same problem is causing Congress’ bungled response in each instance. Far too many committees and subcommittees have jurisdiction over cybersecurity. The complicated web of congressional jurisdiction makes for a split decision process on cyber policy and leads to weak oversight over DHS and other critical agencies. A Congressional leader has not emerged to truly take the cybersecurity reigns.
In contrast, take for example the response to the Federal Emergency Management Agency’s (“FEMA”) unforgivable response to Hurricane Katrina. From the outset, Congress’ response was ushered by Sens. Collins (R-Maine) and Lieberman (D-Conn.)—leaders of the Senate Committee on Homeland Security and Governmental Affairs. Collins and Lieberman conducted a rigorous and thorough investigation of the causes of FEMA’s failures. Less than a year later, they introduced informed and sensible legislation to reform the agency. Their bipartisan collaboration and heavyweight status in the Senate helped get the legislation through, including the necessary funding to put FEMA on track.
Before Congress can reform cyber security across the federal government and private sector, it must reform itself. To end the stalemate a joint committee on cyber should be considered with leadership that has a history of bipartisanship at the helm. Once in place, the committee would stand at the ready to respond to cyber security issues as they arise. Moreover, the committee should identify and investigate our vulnerabilities, collaborate with stakeholders to draft truly comprehensive legislation, and not rest until such legislation is signed. At a time when the cyber alarm is sounding louder than ever, Congress must put an end to its own finger pointing and turf wars and fill its void of cybersecurity leadership.
Norton is a homeland-security and public-safety policy expert. He has served as a senior defense-industry executive and as deputy assistant secretary of the U.S. Department of Homeland Security in the Office of Legislative Affairs. He is an adjunct professor at Johns Hopkins University, teaching courses on cyber, homeland security and the legislative process. Follow him on twitter @jamesnorton99
View Original Article Here