Napolitano Urges Hill to Grant DHS, Others Regulatory Power on Executive Order Tasks

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Homeland Security Secretary Janet Napolitano March 7 urged Congress to enact a comprehensive cybersecurity package that would assist the administration with advancing standards for critical parts of the private sector, among other goals.

While the Department of Homeland Security and other agencies were directed under a recent executive order to promote industry adoption of cybersecurity standards (12 PVLR 257, 2/18/13), they currently do not have adequate authority to do so, according to Napolitano.

The order “does not grant new regulatory authority or establish additional incentives for participation in a voluntary program,” she said at a hearing held jointly by the Senate Homeland Security and Governmental Affairs Committee and the Senate Commerce, Science, and Transportation Committee. “We continue to believe that a comprehensive suite of legislation is necessary to implement the full range of steps needed to build a strong public-private partnership in the realm of cyber.”

Napolitano called for legislation to strengthen the cybersecurity of the nation's “critical infrastructure” operators by further increasing cyber-threat information-sharing between the government and the private sector and promoting the establishment and adoption of industry standards; give law enforcement additional tools to fight crime in the digital age; create a national data breach reporting requirement; and incorporate privacy, confidentiality, and civil liberties safeguards into all aspects of U.S. cybersecurity efforts.

She noted that the administration's current legislative priorities in the area of cybersecurity build on a legislative proposal that it submitted to Congress in 2011 (10 PVLR 730, 5/16/11).

Current Authorities 'Simply Not Enough'

Senate Homeland Security Committee Chairman Tom Carper (D-Del.) and Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) are among a group of Senate Democrats who have made it a top priority to get comprehensive cybersecurity legislation enacted as soon as possible, after a failed attempt in the previous Congress (12 PVLR 142, 1/28/13).

“While I commend the president for issuing this very important order, there was only so much he could do using the authorities granted to him under existing law,” Carper said at the hearing. “Those authorities are simply not enough to get the job done. Now is the time to begin the process of gathering input from the administration and a broad array of stakeholders in order to ascertain what Congress needs to do to build on the executive order that the president has promulgated.”

Carper said that more needs to be done on information sharing, for example, so that companies can more freely share best practices and threat information with each other and with the federal government. “We should also consider how we can further improve the protection of our nation's critical infrastructure, including offering incentives such as liability protection in certain instances,” he added.

Under the executive order, which was signed by President Obama on Feb. 12 and announced in his State of the Union address, the National Institute of Standards and Technology was directed to come up with voluntary cybersercurity standards for the nation's critical infrastructure, in collaboration with industry and other stakeholders, and DHS was charged with coordinating a program to promote the standards and to identify incentives for adoption.

In addition, regulatory agencies were directed to review existing cybersecurity mandates and determine whether they are sufficient and whether any current rules can be eliminated as no longer effective. If the existing regulations are ineffective or insufficient, agencies are directed to propose “prioritized, risk-based, efficient, and coordinated actions … to mitigate cyber risk.”

The order also calls for the government to improve its sharing of cyber-threat information with the private sector, while ensuring privacy and civil liberties safeguards.

Several parts of the order mirror provisions of a comprehensive bill, the Cybersecurity Act (S. 3414), that was introduced in the previous Congress by now-retired Sen. Joseph Lieberman (I-Conn.), who chaired the Senate Homeland Security Committee at the time (11 PVLR 1205, 7/30/12).

Rockefeller and Carper were among the bill's cosponsors. When the measure reached the floor, Republicans and Democrats clashed over the legislation, particularly provisions dealing with standards for the private sector, and were ultimately unable to reach agreement, prompting the administration to consider short term steps that it could take on its own.

“The Obama administration got tired of waiting for us,” Rockefeller said in a statement prepared for the joint hearing. “I can't blame them. This is a problem that is growing worse every day.”

Rockefeller said that one of the most important parts of the order is the section that calls on NIST to develop cybersecurity standards.

Republican Calls for Common Ground

Sen. John Thune (R-S.D.), ranking member of the Senate Commerce Committee, said the order's release could provide an opportunity for Congress to find common ground on other steps that can be taken to address cybersecurity, although he was initially skeptical about executive action.

“It is no secret that, during the last Congress, the Senate reached an impasse on cyber security legislation,” Thune said. “It is my hope--I suspect our shared hope--that we can avoid another stalemate in this Congress.”

In the meantime, he said that Congress needs to conduct “meaningful” oversight of the executive order's implementation.

NIST Director Patrick Gallagher emphasized that his agency will develop cybersecurity standards through a multi-stakeholder process. He also stressed that the NIST effort is not designed to result in new regulations for the private sector.

“[B]y standards, I am referring to agreed-upon best practices against which we can benchmark performance,” Gallagher said in prepared remarks. “Typically these standards are the result of industry coming together to develop solutions for market needs and are developed in open discussions and agreed upon by consensus of the participants.”

NIST Outreach Effort Underway

Gallagher said that his agency has already initiated an aggressive outreach program to get industry and other stakeholders involved in the process.

On Feb. 26, NIST published a request for information to gather initial public comments, which are due April 8 (12 PVLR 372, 3/4/13). The agency is required to publish a draft framework by the fall and to produce a final version by February 2014.

In addition, NIST is planning a series of workshops and other events, Gallagher said. The first workshop will be held in early April to initiate the process of identifying existing resources and gaps and to prioritize the issues that need to be addressed as part of the cybersecurity framework, he noted.

“The goal at the end of this process will be for industry to take and update the Cybersecurity Framework themselves--allowing it to evolve when needed,” Gallagher said.

By Alexei Alexis  

Further information on the hearing, including links to prepared testimony of witnesses and an archived webcast of the hearing, is available at