Administration Declines to Back Cybersecurity Bill

Top DHS Official Questions Creation of New Infosec Bureaucracy

Philip Reitinger, DHS deputy undersecretary for the National Protection and Programs Directorate, told the Senate Homeland Security and Governmental Affairs Committee Tuesday that the administration's review of the bill isn't complete - he wouldn't give a timetable on when it would be finished - and thanked the sponsors for having so much faith in DHS to lead government cybersecurity activities. But he questioned provisions in the bill to create a new component within DHS that would focus on cybersecurity at a time the department seeks to address jointly physical and virtual threats.

The legislation - the Protecting Cyberspace as a National Asset Act of 2010 - would establish within the White House an Office of Cyberspace Policy to address governmentwide cybersecurity policy and within DHS the National Center for Cybersecurity and Communications to oversee the execution of IT security initiatives among civilian agencies and the mostly privately owned critical national IT infrastructure.

Reitinger - the highest ranking cybersecurity official at DHS - testified that the administration would rather not have a separate organization devoted to cybersecurity because it's more effective to address jointly the risks to key physical and cyber infrastructures.

"The private sector speaks the language of all hazards, they worry about risk, as a telecom would say, whether it's from a cyber attack or a back hoe," Reitinger said. "We, in government, need to step to that, and speak their same language if we want to influence how they behave in an all-hazards way, in a risk-based way, and if something bad happens, physical or cyber, to be able to address it seamlessly."

The bill is sponsored by committee chairman Joseph Lieberman, ID-Conn., ranking minority member Susan Collins, R-Maine, and Tom Carper, D.-Del., who chairs a panel subcommittee with IT security oversight.

Collins appeared exasperated over Reitinger's disinclination to back provisions in the bill that would grant the president authority to take action to compel the private owners of the nation's critical IT infrastructure such as the power grid to defend against an imminent, major cyber attack. In his written testimony, Reitinger contended the president already has that authority under a number of laws, including Section 706 of the Communications Act.

But Collins pointed out that law dates back to January 1942, a month after Japan attacked Pearl Harbor that brought America into World War II. "Obviously, a very different time, and a long time before the Internet was even conceived of," she said.

Collins also questioned whether the laws Reitinger cited would give the president the authority to act if war isn't imminent. Reitinger didn't disagree. "There are a lot of legal questions that have not been answered," he said. "The cyberspace policy review identified a significant number of them. We, in the administration, would be happy to work with this committee to make sure the authorities that are necessary to meet the coming need are present in the Department of Homeland Security or the president of the United States in an appropriate emergencies."

Collins wanted a firmer commitment: "Shouldn't we be spelling out exactly what the president's authority is short of state of a war?" she asked.

Reitinger answered: "I apologize that I can't take a position on bill at this time, but I do appreciate the effort that the committee made to tailor the authorities so they are focused on the expected need."

"I'll take that as a yes," Collins said, with the crowded hearing room breaking into laughter.

"I'm not trying to put you in an uncomfortable spot, but as you know, we have been working with the department on this issue for more than year," Collins said. "I just don't understand why the department isn't much further along in its thinking on what should be done. That's why the three of us proceeded with this bill. We can't wait. Those hackers aren't waiting; the 1.8 billion attacks per month are occurring now. ... Relying on a law passed in World War II, it is just fool hearty; it's out of date."

Unlike his fellow Republican Collins, Sen. John McCain of Arizona didn't seem concerned whether or not he made Reitinger comfortable. McCain asked who is the "greatest (cyber) attacker" against the United States; Reitinger answered that he would rather not comment at a public hearing.

McCain noted that kinetic attacks against Georgia and Estonia several years ago were accompanied by cyber attacks against government sites, and asked if Russia was behind the virtual assaults.

"Sir," Reitinger said, "I'm not prepared to attribute that activity on the record."

"Wow!" McCain responded. "Every media in America is, but you can't?"

"I don't mean to be flippant," Reitinger said.

"You're not flippant," McCain Said. "You're just not forthcoming."

Federal Audit: Muscle Up U.S.-CERT

During the hearing, Collins revealed that government auditors will release a report Wednesday that the United States Computer Emergency Readiness Team, the DHS unit charged with providing response support and defense against cyber attacks for the civilian agencies lacks the power to require agencies to do what's necessary to defend their digital assets. She contended that the creation of the National Center for Cybersecurity and Communications would help enforce IT security defense at civilian agencies.

Reitinger said DHS, working with White House Cybersecurity Coordinator Howard Schmidt and the Office of Management and Budget - which oversees agencies IT security budgets - has broad authority to make sure cybersecurity requirements are met. He said agencies that failed to heed U.S.-CERT's advice had limited resource to provide a cyber defense. "They are, in fact, just barely able keep the attackers at bay," he said.

That answer didn't satisfy Collins, who said: "It's evident to me that the department needs more teeth in its directives or agencies are going to feel free to ignore them."