Cybersecurity personnel and policy pieces are coming together, slowly and somewhat unevenly, as the Trump administration settles in and lawmakers take their first cracks at the issue.
An anticipated executive order from President Trump on cybersecurity has been pushed into the background amid administration efforts to get its border and immigration policy into place.
The pending cyber order is expected to set the stage for a wide-ranging review of federal cybersecurity practices, but draft versions triggered alarms in the private sector and on Capitol Hill for appearing to scramble established responsibilities within the executive branch and perhaps even place new requirements on industry.
Senior officials, including Homeland Security Secretary John Kelly, said last month that the draft version was being significantly reworked. The most controversial elements are expected to disappear, and the resulting document may simply set off an interagency review and emphasize the importance the administration attaches to the issue.
When it will be released remains an open question. As a point of comparison, the Obama administration’s initial 60-day review of cyber policy issues was completed in the spring of 2009, and President Obama gave his first policy speech on the issue in late May of that year.
On Capitol Hill, the House Science Committee last week moved a potentially controversial bill on auditing federal agencies’ cybersecurity practices, the most significant congressional move on cyber so far this year, and one that instantly triggered both jurisdictional and substantive outcries.
The Science panel’s bill, which Chairman Rep. Lamar Smith, R-Texas, insisted rather testily is within the committee’s jurisdiction, would require an audit of federal agencies’ cybersecurity practices by the National Institute of Standards and Technology.
“NIST has the experts who develop the standards and guidelines under the Federal Information Security Modernization Act, which apply to the federal government,” Smith said.
NIST, in collaboration with other agencies and industry, does develop standards. But it typically doesn’t audit the use of such tools, and requiring it to do so would raise extensive questions about the agency’s role, as well as resources and manpower.
NIST is “going to have to step up,” Smith said, even though the team out in Gaithersburg, Md., has been perhaps the most effective federal government player on cybersecurity through development of its framework of cyber standards and work on tools addressing virtually every aspect of the cybersecurity challenge.
Further, the auditing role seems a better fit with either the Department of Homeland Security or Office of Management and Budget, or both, which have the personnel and structure to perform the task.
Equally important, they have the relevant statutory authority.
“I specifically recall [the Government Accountability Office’s] recommendation that the Department of Homeland Security, and not NIST, carry out surveys and assessments of the adoption and effectiveness of the Cybersecurity Framework,” Science Committee ranking Democrat Eddie Bernice Johnson of Texas said at the markup.
“NIST itself has steadfastly maintained that they are the wrong agency to do it, and not just because of limited resources,” Johnson said before voting against the bill.
Cybersecurity leaders at a number of major trade associations privately inveighed against the bill, although few wanted to get out front until it becomes a bit clearer where this legislation is going.
The bill did receive a shout-out from Larry Clinton, head of the industry-based Internet Security Alliance and a long-time proponent of finding ways to assess the effectiveness, especially the cost-effectiveness, of tools such as the NIST cyber framework.
“Companies will naturally use elements of the framework that have been shown to be cost-effective,” Clinton said in a statement. “Having data like this — even it is just from federal agencies — would be one of the best bulwarks we can have against creating a regulatory environment in cybersecurity.”
The congressional homeland security committees and the House Oversight and Government Reform panel will surely weigh in, probably in a bipartisan voice, before the Science Committee bill reaches the floor.
On the personnel front, a Senate panel held a confirmation hearing for former Sen. Dan Coats, R-Ind., the nominee to serve as director of national intelligence.
Among his priorities, Coats said cybersecurity was “quickly rising to the top of the list.”
The Senate Intelligence panel may vote on Coats as early as this week, according to a committee source, and the well-liked former senator, who is also a long-time member of the Intelligence Committee, is expected to sail through.
Timing for a floor vote is less certain, and it’s unclear whether Democrats will try to stretch out the process of granting final approval, as they have on controversial and noncontroversial nominees alike.
But once Coats is confirmed, all of the security-oriented Cabinet posts with significant cyber responsibilities will be in place, and lawmakers can begin plowing through nominations at the deputy secretary level and other spots that play critical roles on cyber.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
