Cybersecurity: Current Legislation, Executive Branch Initiatives, and Options for Congress
Full Title of Reference
Cybersecurity: Current Legislation, Executive Branch Initiatives, and Options for Congress
Catherine A. Theohary and Clay Wilson (2010), Cybersecurity: Current Legislation, Executive Branch Initiatives, and Options for Congress, commissioned report for the Congressional Research Service, for members and committees of the U.S. Congress.
Increasing focus on current cyber threats to federal information technology systems, nonfederal critical information infrastructure, and other nonfederal systems has led to numerous legislative cybersecurity proposals and executive branch initiatives. The proposed National Defense Authorization Act for Fiscal Year 2010 (NDAA FY2010) and the Intelligence Authorization Act for Fiscal Year 2010 (IIA FY2010) both contain provisions that would affect programs and funding for current and future cybersecurity-related programs. In May 2009, the Obama Administration issued its 60-day review of cybersecurity policy, declaring that U.S. information networks would be treated as a strategic national asset.
There is no single congressional committee or executive agency with primary responsibility over all aspects of cybersecurity; each entity involved pursues cybersecurity from a limited vantage point dictated by committee jurisdiction. Many different initiatives exist, but because of fragmentation of missions and responsibilities, “stove-piping,” and a lack of mutual awareness between stakeholders, it is difficult to ascertain where there may be programmatic overlap or gaps in cybersecurity policy.
Drawing from common themes found in the Comprehensive National Cybersecurity Initiative (CNCI), a study by the Center for Strategic and International Studies (CSIS) Commission for the 44th Presidency, and the proposed near-term action plan from the President’s recent Cyberspace Policy Review, this report identifies cybersecurity policy issues that have been proposed for priority consideration. The report lists and synopsizes current legislation that has been developed to address various aspects of the cybersecurity problem. It then lists the current status of the legislation and compares legislation with existing executive branch initiatives. Finally, analysis of information contained in executive branch initiatives and congressional legislation is used to further highlight cybersecurity-related considerations for Congress.
Some Selected Points and Themes from the Article
- The article dwells principally on the lack of comprehensive, integrated governmental response or oversight of cybersecurity:
"There is no single congressional committee or executive agency with primary responsibility over all aspects of cybersecurity; each entity involved pursues cybersecurity from a limited vantage point dictated by committee jurisdiction." (1)
"Just as there is no single congressional committee that can claim primary jurisdiction over cyberspace, neither is there a single executive agency or department with sole cybersecurity responsibility or commensurate authorities. As the President stated, “No single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge. Indeed, when it comes to cybersecurity, federal agencies have overlapping missions and don't coordinate and communicate nearly as well as they should—with each other or with the private sector.” (1)
- "Conceptual and definitional differences among agencies make a unified government strategic approach to cybersecurity a challenge to coordinate. For the Department of Defense, cybersecurity is both the protection of its own networks, processes and content—sometimes
referred to as “information assurance”—as well as enabling the freedom of movement to fight and win battles in cyberspace. This approach differs from that of the Department of Homeland Security (DHS), which is tasked to coordinate cybersecurity between the rest of the federal government and the private sector. DHS’s task is complicated, as cyberspace technology and processes are largely owned and operated by the private sector, and as the authority of the federal government to exert control over cybersecurity activities may be limited." (3)
- Comprehensively addressing national cybersecurity-related issues is a difficult task because of a number of technical and policy considerations. A persistent set of issues has stymied significant progress in detecting and deterring existing threats and implementing effective safeguard measures. Issues that appear to continually challenge U.S. cybersecurity efforts include:
• uncertainty of the geographic location of the perpetrators of cyber attacks; • the evolving integration of mobile technology devices into critical information infrastructure; • the introduction of new vulnerabilities to the nation’s infrastructure from increasingly sophisticated threats; • a poorly coordinated federal-private sector approach to addressing emerging risks; and • legal ambiguities with respect to U.S. response and offensive actions.
- The paper's key concern seems to be the lack of integrated communications and the absence of a single body responsible for and able to manage the comprehensive national cybersecurity concerns. Another important issue is the lack of clearly delineated responsibilities and courses of action between the private sector (which controls most network and data infrastructures) and the federal government.
According to Steven Chabinsky, Deputy Director of the Joint Interagency Cyber Task Force for the Office of the Director of National Intelligence, there are 12 objectives supporting the initiative’s goal of comprehensively addressing the nation’s cyber security concerns: 1. Move toward managing a single federal enterprise network (an integrated communications system architecture for the federal government with common security standards across the network). 2. Deploy intrinsic detection systems. 3. Develop and deploy intrusion prevention tools. 4. Review and potentially redirect research and funding. 5. Connect current government cyber operations centers. 6. Develop a government-wide cyber intelligence plan. 7. Increase the security of classified networks. 8. Expand cyber education. 9. Define enduring leap-ahead technologies (investing in high-risk, high-reward research and development to ensure transformational change). 10. Define enduring deterrent technologies and programs. 11. Develop multi-pronged approaches to supply chain risk management (potential tampering within the production line and the risk associated with computer products and parts made outside the United States). 12. Define the role of cybersecurity in private sector domains.
- President Obama's 2009 60-day Cyberspace Policy Review (issued in May, 2009) outlined some of the same concerns and priorities, with the goal of assessing U.S. policies and organizational structure for cybersecurity:
• Appoint a cybersecurity official to coordinate interagency strategy and policy. • Prepare and update national strategy to secure the information and communications infrastructure. • Designate cybersecurity as one of the President’s key management priorities and establish performance metrics. • Designate a privacy and civil liberties official in the NSC cybersecurity directorate. • Convene appropriate interagency mechanisms to conduct legal analysis of priority cybersecurity issues.10 • Initiate a national cybersecurity public awareness and education campaign. • Develop U.S. government positions for an international cybersecurity policy framework. • Prepare a cybersecurity incident response plan. • Develop a framework for research and development strategies that focus on “game-changing” technologies that enhance security. • Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests.
- Common themes to have emerged in recent disparate cybersecurity recommendations and initiatives are:
_National cybersecurity strategy—conceptualizing a current comprehensive approach toward a government-wide cybersecurity solution, outlining ends, ways, and means along with a prioritization of effort. _Executive branch organization—reorganizing existing executive branch structures, or standing up new entities to coordinate cybersecurity throughout the interagency process. _Congressional oversight concerns—identifying committee jurisdictions to oversee budgetary priorities and goals for cybersecurity programs. Establish/update legal authorities—expanding and/or clarifying roles and responsibilities ofcybersecurity stakeholders. _Privacy and civil liberties—maintaining privacy and freedom of speech protections on the Internet while devising cybersecurity procedures (As noted on page 1 of the report, "Privacy and civil liberties concerns are not highlighted in recent congressional proposals."). _Awareness, research, education, and training—developing a workforce to meet cybersecurity goals, raising citizenry awareness of cybersecurity best practices, and developing more secure technologies. _Outreach, collaboration, and policy formation—working across government and with the private sector to share information on threats and other data, and to develop shared approaches to securing cyberspace.