Over the past eight days both the House of Representatives and the Senate have held oversight hearings on the voluntary critical infrastructure cybersecurity framework that the National Institute of Standards and Technology (NIST) is developing pursuant to President Obama’s February 12, 2013 executive order. On July 18, the House Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing on the development of the framework, which was followed by a Senate Commerce Committee hearing yesterday on the partnership between NIST and the private sector to hammer out the framework.
Little in the way of controversy or news emerged during either hearing, with both arms of Congress expressing strong support for the NIST initiative, which will appear in preliminary form in October and final form in February 2014. “I believe that the outline of NIST’s framework provides an important step to increasing our nation’s awareness and ability to protect our networks from crippling cyber attacks,” House Subcommittee Chairman Patrick Meehan (R-PA) said.
“Getting NIST involved in cybersecurity makes a lot of sense, because NIST already has decades of experience working with the private sector on computer security issues,” Senator Jay Rockefeller (D-WV), Chairman of the Senate Commerce Committee said. Rockefeller along with Ranking Member John Thune (R-SD) have introduced a bill, The Cybersecurity Act of 2013, that will codify into law the voluntary framework that NIST produces, legislation that Rockefeller said yesterday will go to mark-up before Congress recesses in August.
All of the witnesses at both hearings said that the framework process is humming along nicely. “I’m actually quite excited by the progress we have made and the response we’ve got from the private sector,” Charles Romine, Director of NIST’s Information Technology Laboratory told the House Subcommittee, referring to the three workshops NIST has held with the private sector in developing the framework. “We’ve achieved over the course of a relatively short time a consensus on the framework.”
And all of the witnesses said that the framework is an excellent initiative to tackle the cybersecurity challenges that industry and government face. “The approach to the cybersecurity framework set out in the executive order will allow industry to protect our nation from the growing cybersecurity threat while enhancing America’s ability to innovate and compete in a global market,” NIST Director Patrick Gallagher told the Senate Committee.
A few interesting points were briefly touch upon in both hearings. The first is whether Congress should recommit to passing comprehensive cybersecurity legislation. During the waning days of the last Congress, efforts to pass tougher cybersecurity legislation were derailed in the face of opposition by both industry interests and privacy advocates, prompting President Obama to issue his executive order to compensate for the failure.
“I have concerns that a self-assessment may not be sufficient to incentivize action to bolster cyber defenses,” Rep. Meehan said during the Subcommittee hearing, referring to the public-private partnership underlying the voluntary standards. “Ultimately, I believe it is the consensus of this committee that Congress must pass legislation, in order to address many of these outstanding issues.”
Meehan was specifically referring to cyberthreat information-sharing among private sector and government entities which most experts believe requires an act of Congress. Rockefeller, who is also a member of the Senate Intelligence Committee, said during yesterday’s hearing that the Intelligence Committee plans to introduce a bill that would permit and facilitate information sharing.
A related issue is the degree to which the voluntary standards should ever become mandatory requirements either through legislation or existing or new regulatory authorities. “If we can create confidence in the marketplace [with the framework] then I don’t think government needs to get involved,” Robert Kolasky, Director of the Integrated Task Force assigned with implementing the executive order at the Department of Homeland Security, told the House Subcommittee.
As to whether regulatory or other government agencies can enforce the framework in some fashion through their existing authorities, a subject of examination under the executive order, “until the agency actually tries to create regulations one doesn’t really know what’s going to happen,” Eric Fischer, Senior Specialist at the Congressional Research Service told the House Subcommittee. “If they do have the authority they may do it anyway.”