Editor’s Note: FISMA Focus expects that there will be cybersecurity regulation on private sector critical infrastructure. FISMA Focus has referred to this eventuality as The Coming Cybersecurity Regulatory Revolution.
Gen. Keith Alexander, the head of the nation’s largest spy agency and its cyberwarfare command, is urging adoption of legislation to require companies providing critical services such as power and transportation to fortify their computer networks against cyber attacks.
Though he did not specify a particular bill, Alexander, commander of the U.S. Cyber Command and director of the National Security Agency, said in a letter Friday to Sen. John McCain (R-Ariz.) that “recent events have shown that a purely voluntary and market driven system is not sufficient” to protect such networks.
The words are likely to disappoint GOP opponents of government regulation and in particular of legislation pending in the Senate that would authorize the Department of Homeland Security to ensure certain critical networks meet minimum security requirements.
“Some minimum security requirements will be necessary to ensure that the core critical infrastructure is taking appropriate measures to harden its networks to dissuade adversaries and make it more difficult for them to penetrate those networks,” Alexander wrote, adopting the Obama administration’s position on the need cybersecurity legislation.
A legislative package cosponsored by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), among others, is pending in the Senate that would do just that. But the Cybersecurity Act of 2012 faces stiff opposition from Republicans such as McCain, who have decried it as too burdensome on business. At a hearing earlier this year, McCain blasted the bill as turning DHS into a “super-regulator.” He warned it would lead to “unelected bureaucrats” foisting rules on companies would divert resources from developing security to complying with mandates.
But Alexander, who also stressed that the requirements not be too burdensome, pointed out that the Department of Defense relies on key industries such as power, transportation and telecommunications. Last year, he stated that the power sector is “at the bottom” of the list in cybersecurity. “It’s not a priority for them,” he said at a speech last year at the University of Rhode Island. “They don’t have expertise. They need government assistance.”
Further, he said, it is U.S. Cyber Command’s role to defend the nation from a cyber attack. He said the president can delegate authority to the Defense Secretary to use Cyber Command’s capabilities to defend the nation. And, he said, “much work remains to be done across both the public and private sectors” to deter adversaries in cyberspace.
Alexander also noted in his letter the need for greater sharing of cyber threat data from the private sector with the government. Several bills in both the House and the Senate would enable that. Right now, he said, “the limited, voluntary information sharing by the private sector inhibits the government’s ability to protect domestic cyberspace.”
Other administration officials have explicitly endorsed the Lieberman-Collins bill. They include Defense Secretary Leon Panetta, Joint Chiefs of Staff Chairman Gen. Martin E. Dempsey and Homeland Security Secretary Janet Napolitano.
Leave a Reply