Napolitano Says Interagency Appraisal Nearing a Conclusion

March 10, 2011 – Eric Chabrow, Executive Editor, GovInfoSecurity.com

During the first two years of the Obama administration, the White House didn’t show much enthusiasm for legislation to codify changes in the way the federal government tackles IT security. Without administration support, Congress failed to enact any significant cybersecurity legislation during the 111th Congress. Is that changing?

Sen. Sheldon Whitehouse hasn’t seen any evidence of that yet. In questioning Homeland Security Secretary Janet Napolitano during a Senate Judiciary Committee hearing on Wednesday, the Rhode Island Democrat suggested the Obama administration has been prolonging an interagency review of cybersecurity policy that could provide guidance on legislation Congress would consider.

“There’s no point sorting (Senate legislation) out if we don’t know where the executive branch is going to stand,” Whitehouse said. “As I understand it, the interagency process has lasted over a year already, during which we have been basically cut out of discussions between the executive and legislative branches. So, in the legislative branch, we are now a year into a stall on preparing the legislation that I feel we urgently need in order to protect our country from cyberattack. I don’t think it’s purely an executive administrative function and the shuffling things around within the executive branch under existing authorities is adequate.”

Whitehouse pressed Napolitano several times on when the interagency review would be completed, but she said she didn’t know and would ask the White House. (The White House has yet to respond to an e-mail message sent Thursday asking about the status of the review.)

Napolitano didn’t provide specifics on what the administration would want to see in any legislation, though she agreed with Whitehouse that the law must be changed to establish secure domains – web addresses – for the national’s critical IT infrastructure. The secretary said new laws would need to define authorities and jurisdiction within government in safeguarding the new, developing area of cyberspace. “Clarity always facilitates operations, and were on the operations side on the actual protection aspect of our civilian networks,” Napolitano said. “And, so, if we can work with the Senate and get to a bill that clarifies authorities and jurisdictions, I think that would be very helpful.”

Melissa Hathaway, who ran President Obama’s cyberspace policy review in 2009, said the delay is understandable, considering that it takes time to obtain agreement on needed legislative changes to enhance mission requirements while simultaneously clarifying jurisdictional authorities. “I don’t believe that anyone is trying to delay progress,” said Hathaway, senior adviser at Harvard University’s Belfer Center for Science and International Affairs. “It’s difficult to obtain agreement coupled with majority consensus on what is the right set of first steps.”

The administration and Congress must not only address tactical, short-term initiatives, but define strategic, long-term goals to protect, Hathaway said, adding: “This will require addressing the shortfalls in our current laws and thoughtful review of how we close the gap between the threat, innovation and competitiveness.”

By Hathaway’s calculation, lawmakers introduced more than 55 cybersecurity-related bills in the 111th Congress; in the 112th Congress, which began in January, at least six cybersecurity bills have been introduced. Dozens more address net neutrality, data breach and other associated cybersecurity items, she said.

Among those half-dozen bills is the Cybersecurity and Internet Freedom Act of 2011 (see Senate Bill Eyes Cybersecurity Reform) that would establish a White House Office of Cyberspace with a Senate-confirmed director – a matter the administration opposed last year – as well as emphasize real-time monitoring of government IT systems and a move away from paper-compliance under the Federal Information Security Management Act. The bill also would require each agency to designate a qualified, senior official as chief information security officer.

Cybersecurity policy expert James Lewis, senior fellow at the Center of Strategic and International Studies, said he believes the White House will offer proposed language for cybersecurity by early April. “It will, I think, have some parallels with the Senate bill, but it is still being hashed out.”