Piecemeal Approach to Cyber LegislationComprehensive Measures Have Failed to Come Up with Votes
As lawmakers head back to Washington after their summer recess, the U.S. Senate likely will take a piecemeal approach to cybersecurity legislation, says Jacob Olcott, the former counsel to the Senate Commerce, Science and Transportation Committee, whose leaders introduced a draft bill.
"I definitely expect to see other committees in the Senate introducing bills on their own," says Olcott in an interview with Information Security Media Group [transcript below].
In recent years, the Senate has attempted to enact more comprehensive measures, but they never came up for votes on the Senate floor.
"What you saw a couple of years ago with Harry Reid [the Nevada Democrat who is the Senate majority leader] taking the initiative to try to bring a lot of these different committees together to work on a larger comprehensive bill - that effort obviously fell apart," Olcott says.
The approach now is for committees with cybersecurity oversight - Armed Services, Commerce, Justice, Homeland Security and Governmental Affairs and State, for instance - to draft their own bills. "You're sort of back to the committees of jurisdiction working on their approaches that I think will be very consistent with one another," he says.
Before the summer recess, Democrat Jay Rockefeller of West Virginia and Republican John Thune of South Dakota floated a cybersecurity draft bill that promotes public-private collaboration on IT security. The draft legislation also encourages cybersecurity research and development, promotes the creation of computer and network security research centers, supports cybersecurity education and workforce development and backs awareness and preparedness programs.
In the interview, Olcott:
- Analyzes specific provisions of the draft legislation, such as those that would require the government to determine how to identify specific messages emanating from the Internet and deal with the insider threat;
- Describes the importance of the legislation as a vehicle to inform the executive branch of Congress' cybersecurity priorities; and.
- Explains why the Senate this year might take a piecemeal approach to cybersecurity legislation, rather than trying to enact more comprehensive measures.
Olcott is a principal specializing in cybersecurity at Good Harbor Security Risk Management, a consultancy founded by former White House IT security adviser Richard Clarke. While serving as an adviser to Rockefeller, Olcott was the lead negotiator on comprehensive cybersecurity legislation. Before serving as counsel to Senate Commerce Committee, Olcott served as staff director and counsel for the House Homeland Security Subcommittee on Emerging Threats.
ERIC CHABROW: Is [the Rockefeller-Thune] legislation, as Yogi Berra put it, "dÃ©jÃ vu all over again?" It seems very familiar to legislation that you helped draft in the previous Congress.
JAKE OLCOTT: There are definitely some differences to previous Rockefeller efforts, but by and large it's probably fair to say that a lot of the ideas represented in this bill are very familiar to those who have been following cybersecurity legislation, not only in the last Congress, but even the last several Congresses. We're seeing a lot of similar ideas here that were there even back in the 2008-2009 timeframe.
CHABROW: What's different about this bill than previous ones?
OLCOTT: The emphasis on [the National Institute of Standards and Technology] creating cybersecurity standards that will be voluntary for private sector owners and operators of critical infrastructure is something that's explicitly spelled out in this particular draft. In previous drafts, there were debates about the role of regulation for critical infrastructure owners and operators. This bill is very specific. Those measures will be voluntary. They will be developed by NIST working with private-sector actors [see Cybersecurity Framework: Making It Work].
CHABROW: Why's it important to codify this? This is already being done through President Obama's executive order.
OLCOTT: It's a very good question. If you look back throughout Congressional history, you will see a lot of efforts made by Congress to codify things that were already taking place in the executive branch. Part of that is to place the imprimatur of Congress on an executive action, and I think that's one of the reasons why Sen. Rockefeller and Sen. Thune came forward with this approach. They apparently liked the way that the executive order lays out the problem and provides the authorities to NIST. That's a primary reason why Congress decides to codify existing executive actions that are not otherwise codified.
CHABROW: Is it important for Congress to let the other branch of government or other branches of government know what it wants to be accomplished?
OLCOTT: That's exactly it, and as you know, there has obviously been a lot of controversy surrounding cybersecurity legislation over the last several years, not a lot of consensus on what to do about it. And I think, from Sen. Rockefeller's perspective, it's important to create consensus among Senate and House members about how to address the problem going forward. This is a way that he thinks he can get a significant amount of buy-in from not only other Democrats but certainly the Republicans, too.
CHABROW: What happens to a bill like this? Does this get incorporated into some other kind of legislation, or is this maybe all Congress can do now with cybersecurity legislation?
OLCOTT: I definitely expect to see other committees in the Senate introducing bills on their own and, specifically, I'm thinking the Homeland Security Committee in the Senate will undoubtedly introduce a [Federal Information Security and Management Act reform] bill along the lines of what they've been proposing for some time now. This is the way that the process works. What you saw a couple of years ago with Sen. Reid taking the initiative to try to bring a lot of these different committees together to work on a larger comprehensive bill - that effort obviously fell apart. Now, you're sort of back to the committees of jurisdiction working on their approaches that I think will be very consistent with one another. They definitely seem to be approaching it from a committee's specific perspective rather than trying to work across committees as in previous years.
I think that the senators involved learned a lot about a lot of different issues ... from the previous effort. I don't view this and I don't think Sen. Rockefeller would view this as being the combative approach or something like that compared to what the Senate Homeland Security Committee might put forward. On the other hand, sometimes House committees might feel that way because they haven't gone through this sort of comprehensive effort where everybody is sort of working together on the larger problems.
Bill's Specific Elements
CHABROW: Let's talk about certain elements in the bill. The legislation calls for the White House Office of Science and Technology Policy to coordinate the development of a fundamental cybersecurity research plan. Among the objectives delineated in the legislation would be determining the origin of a message transmitted over the Internet. That's kind of a very specific thing. I assume that's being done to identify hackers, but it sounds like it could also be used to identify other parties, perhaps innocent ones. Why include something so specific as that type of provision?
OLCOTT: I don't know where a provision like that originated, but I don't necessarily think that it's as bad as you might have inferred or has the same implications that you might have inferred. There's one thing I could say about the R&D priorities in that section. On the one hand, [there are] very specific ideas that are put forward in that provision; on the other hand, it feels to me a bit limiting, too. There are certainly a lot of issues that deserve increased tension and focus in the research and development area. This legislation, this provision specifically, allows for [White House Office of Science & Technology Policy] to move forward on a number of different issues and lists a few specific priorities. I would personally like to see the list of R&D priorities be a little longer than what's currently mentioned, and I'm sure that the members and staff will work on that in the weeks and months ahead.
CHABROW: This isn't necessarily directing them to do that as much as letting the White House know this is what we, as Congress, want you to work on?
OLCOTT: These types of provisions are ways of signaling to the executive branch that these are areas that Congress has identified as being particularly interesting or important and so they want to specifically highlight the issues or call the executive agency's attention to the problem. It's not meant to be a limited approach to what could constitute a cybersecurity R&D priority. It's just that these, for whatever reason, are top-of-mind for the members and their staff.
CHABROW: Which would explain why one of the areas they're asked to research is the insider threat, with all the news going on with Bradley Manning and Edward Snowden?
OLCOTT: Definitely a good reason why insider threat has become a hot-button issue in the R&D effort and why it's mentioned in here. There have been a number of initiatives over the last several years after the Bradley Manning case that have encouraged the development, not only in the R&D effort, but also in the acquisition and procurement arena for intelligence agencies and other federal agencies to acquire insider threat detection technologies. This is an area that has been given a lot of attention and focus by the executive branch already, and what the legislation does is exactly that - highlight the importance of the issue.
Identifying Key Areas
CHABROW: Of course, a lot of these programs are already under way to address these things.
OLCOTT: That's exactly it, and the benefit of legislation like this is that it helps the executive agencies identify specific areas for them to focus on, even as they prepare future budgets, too, by highlighting a few of the research and development areas. ... Congress and congressional leadership, Sen. Rockefeller and Sen. Thune, are sending a message to the departments and agencies that these are areas that they agree should be funded and should receive priority. The benefit for an executive agency then is to go ahead and prioritize some of those things and go back to the senators and say, "We heard you loud and clear and we agree with you. This is what we want to do and this is the area that we want to fund."
CHABROW: Simply, Congress is saying, "Hey, you're more likely to get funding for these things if you ask for it than other areas."
OLCOTT: Executive branch agencies should definitely read these bills and feel comfortable with investing what have become precious dollars in these areas, which is why it's important for Congress, the members and staff, to really do a lot of diligence in identifying those emerging areas for focus and R&D, because the executive agencies are paying attention.