In a move to pigeon-hole his mostly-Democratic opponents as high-spending bureaucrats, perhaps with an axe to grind against the Defense Dept., former Presidential candidate Sen. John McCain (R – Ariz) announced yesterday the formation of competing cybersecurity legislation. Sen. McCain’s move pits him squarely against the former Democrat who endorsed him for President in 2008 and who once was considered a shoe-in for his running mate, Sen. Joe Lieberman (I – Conn.).
A hearing was held yesterday in the Senate Homeland Security Committee that Sen. Lieberman chairs. From the makeup of the witness panels, one could suppose it was originally intended to be something more like a graduation ceremony for a bill Lieberman and his colleague, Majority Leader Harry Reid (D – Nev.), would like to characterize as one step from the President’s signature. As it turned out, McCain’s announcement gave an opening for one panelist, former DHS Secretary Tom Ridge (under Pres. George W. Bush) to give what sounded like a pitch for the McCain bill.
“If the legislation before us today were enacted into law, unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses, which own roughly 90% of critical cyber infrastructure,” stated McCain in his opening remarks yesterday. “The regulations that would be created under this new authority would stymie job-creation, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates. A super-regulator, like DHS under this bill, would impact free market forces which currently allow our brightest minds to develop the most effective network security solutions.”
DHS or DoD?
The major point of contention for McCain is that new language in the Lieberman/Collins bill would effectively make the Homeland Security Dept. the nerve center for cyber-emergency initiatives, and the point of contact for private security experts to help develop federal cybersecurity policy. McCain – who serves as ranking member on the Armed Services Committee – perceives the Defense Dept. as already having led the way in that category. He cites a September 2010 memorandum of understanding (MOA) between DHS and DoD (PDF available here), establishing a joint cybercommand center where DHS employees effectively report to the NSA – an agency of the DoD.
“DoD and DHS agree to collaborate to improve the synchronization and mutual support of their respective efforts in support of U.S. cybersecurity,” the memorandum reads. McCain’s assertion is that Lieberman/Collins would bypass that MOA, creating a new regulatory agency in place of the existing set of tactical response authorities, and replacing a general with a bureaucrat. McCain quoted this general – Keith Alexander, who heads U.S. Cybercommand – as saying, “In order to stop a cyber attack you have to see it in real time, and you have to have those authorities.”
In her testimony before the committee yesterday, current DHS secretary Janet Napolitano acknowledged the MOA, but asserted that instead of replacing it, the Lieberman/Collins bill could potentially strengthen it. But the way to do that, she said, would be “to allow DHS to expand and enhance these efforts with critical infrastructure” – in other words, to give DHS the authority to act when both public and private resources housing government data are threatened.
“While the Administration has taken significant steps to protect against evolving cyber threats, we must acknowledge that the current threat outpaces our current authorities,” stated Napolitano. “DHS must execute its portion of the cybersecurity mission under an amalgam of existing statutory and executive authorities that fail to keep up with the responsibilities with which we are charged. Our cybersecurity efforts have made clear that our nation cannot improve its ability to defend against cyber threats unless certain laws that govern cybersecurity activities are updated.”
The Complaint About “Compliant”
Arguing against that line of reasoning, and effectively on McCain’s behalf, was the first DHS secretary, Tom Ridge – himself a former senior advisor to McCain’s 2008 campaign. Presently, Gov. Ridge serves as chair of the National Security Task Force for the U.S. Chamber of Commerce. He argued that a new regulatory agency would create a kind of regime that makes enterprises that do business with the government shift their focus from “secure” to “compliant,” potentially lowering the bar with respect to proactive measures against cyber attacks.
“Contrary to some news headlines, the private sector routinely thwarts cyber attacks against its networks because it is fast and nimble in its response and recovery efforts,” Ridge stated. “The Chamber is deeply concerned that a new regulatory regime would box in our critical infrastructures, hampering the freedom, agility, and innovation needed to deflect or defeat adversaries who are often quite amply resourced.”
Calling out the apparent disharmony between the two agencies’ approaches, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney noted that a multitude of government agencies – DoD and DHS included – have instituted their own cybersecurity initiatives. Perhaps all of them are commendable; the problem is, they’re separate. And the Lieberman/Collins bill might add one more silo to the list.
“While each initiative has value, their long-term effectiveness would be improved by an articulation of common goals and operational alignment to maximize their impact,” stated Charney. “It is clear that cyberspace demands a different type of policymaking; agencies cannot develop and implement policies in silos. Nor can national governments act alone. The Internet is truly global and the U.S. Government must be cognizant that American cybersecurity efforts reverberate beyond our borders. In some instances, foreign governments will act in alignment with American interests and may even emulate its policies. In other instances, however, there may be disparate national approaches. Countries may have philosophical differences, of course, but sometimes technical requirements – even if promoted in the name of national security – are really attempts to create trade barriers. Policymakers must be mindful of the global import of their actions and ensure that competing interests are balanced appropriately.”
Sen. McCain said his competing legislation will be introduced following the President’s Day holiday, which could mean as soon as next week. Lieberman/Collins does have a modicum of bipartisan support, by virtue of Sen. Susan Collins’ (R – Maine) co-sponsorship, and could conceivably pass the Senate even over McCain’s objection. But any legislation started in the Senate must then either pass the House, or be reconciled with similar legislation introduced in the House. That body is still under Republican control, so if McCain pulls the right strings, he may be able to stall Lieberman/Collins – thus adding it to the one of the largest stockpiles of unpassed bills from any Congress in history.