WASHINGTON — With the federal government’s cybersecurity policy in flux, lawmakers and officials are exploring different paths to improve collaboration with the private sector, including the possibility of providing incentives to software firms that can demonstrate a baseline level of security.
“It’s incumbent on us to try to engage the private sector,” Ellen Doneski, chief of staff for Senate Commerce Committee Chairman John Rockefeller, said at a panel discussion this morning at Google’s Washington office.
Rockefeller earlier this year introduced legislation that would dramatically overhaul federal cybersecurity. Critics leapt on the bill for language that would allow the government to bypass privacy laws in the event of a cyber attack, as well as a provision that would give the president authority to shut down private-sector networks after declaring a so-called “cyber emergency.”
But Doneski stressed that the bill was introduced in an effort to spark a conversation, particularly with the private sector, calling the process of revising the language ahead of a committee markup “iterative.”
“Probably the language in the draft is imperfect,” she said, adding her hope that “by the time we get to actually moving the legislation it will be more warmly received.”
She said that one proposal on the table at the committee is tax incentives for vendors whose software meets certain security criteria.
In the discussion over cybersecurity policy, which heated up last month when President Obama gave a speech on the subject, one of the taglines is the notion of public-private partnerships. Obama and others have noted that the majority of the nation’s digital infrastructure belongs to the private sector, and effective cooperation between policy makers and industry leaders is essential to a coordinated defense mechanism.
“Any notion that we’re going to solve this problem from the top down I think is fallacious,” said Philip Reitinger, deputy under secretary at the Department of Homeland Security.
Reitinger and Christopher Painter, the National Security Council’s director of cybersecurity, both said their agencies are exploring different ways to incentivize the development of securely coded software.
One way the government can do that is through the sheer force of its buying power. Richard Hale, the chief information assurance executive at the Defense Department’s Defense Information Systems Agency, pointed out that as such a large purchaser of software, the federal government could drive the market toward higher security standards if the agencies established secure code as a top priority when making procurement decisions.
Several of the panelists referred to Obama’s May speech as “game changing.” That address, which accompanied the release of a long-awaited policy review of the federal cybersecurity apparatus, helped move the issue into the mainstream by virtue of the presidential imprimatur.
Obama is not the first president to speak of the need to shore up the country’s information systems, but critics have described past rhetoric as little more than lip service to the issue.
“Once the CEO cares about it, it starts to get cleaned up,” Hale said. “That the CEO of the United States cares about this now is fundamental.”
Obama spoke of the need to engage the industry in cybersecurity, and vowed to launch an education campaign to raise awareness of the problem. He also pledged to create a new position of cybersecurity coordinator, who would be charged with bringing together the efforts of various agencies, and would also serve as a liaison to Congress and the private sector.
Some critics have since complained that the position, which has yet to be filled, is too far down in the bureaucratic hierarchy to have any real power. Rockefeller’s bill would create a similar position that would report directly to the president.
Many observers have noted that the effectiveness of industry partnerships has been hindered by excessive secrecy on the part of the government. Much of that criticism has been directed toward the National Security Agency, but the panelists at today’s event admitted that it’s a problem that spans across government.
“How classified does some of this threat data need to be?” Hale said.
DHS’ Reitinger echoed that point, stressing the need for the federal government to cultivate trust with its industry partners in its cybersecurity efforts. “That involves making sure that we share information that we can share.”
He and the other panelists also noted the importance of simplifying the protocols for a government response to a cyber attack. When systems are under siege, that’s not the time to wade through the “300-page manual on the shelf” to determine who’s calling the shots.
Rockefeller’s bill would set some rules of the road for responding to cyber threats. Obama’s interagency coordination efforts also aim to bring some clarity to the matter.
Reitinger also said that DHS is struggling from a shortage of cybersecurity experts, a personnel deficiency the agency is trying to correct with a hiring binge.
“My top priority is continuing to build capability within the Department of Homeland Security,” Reitinger said. “Some of that is technology, but some of it is people. We’ve got a lot of great people, but we don’t have enough of them.”