Calls for Senate-confirmed cyber official revived

Monday - 7/11/2011, 8:06am EDT

Federal News Radio's Jason Miller

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

House lawmakers are renewing their call for a Senate-confirmed White House official to be in charge of civilian agency cybersecurity policy.

The Obama administration's legislative cybersecurity proposal did not include such a position despite strong support from both chambers of Congress. Instead, the White House's bill gives the Homeland Security Department the operational and policy responsibilities while the Office of Management and Budget retains the budget authority.

But House Oversight and Government Reform Committee members questioned that set up Thursday at the latest of several hearings focused on the administration's cyber proposal.

"There are several provisions in the administration's proposal I would like to see strengthened," said Rep. Elijah Cummings (D-Md.), ranking member of the committee. "First, I hope we will consider the creation of a Senate-confirmable official with authority to set administrationwide cybersecurity policy. It is important that the official responsible implementing the Federal Information Security Management Act (FISMA) have the authority to task all civilian depts. And agencies with implementation of the federal security standards."

Rep. Jim Langevin (D-R.I.) echoed Cummings on this issue.

Langevin, who introduced bills over the last two years to create this position and update FISMA, said current cyber coordinator Howard Schmidt doesn't have the right authorities. Langevin praised Schmidt for the job he is doing.

"We need a strong director's position in the Executive Office of the President that is charged with protecting our federal cyber networks," he said. "I want to see that position strengthened and I want to see it be a Senate-confirmed position with strong authorities."

Langevin said the White House official would have a top line view of all cyber efforts across the government. Currently, neither Schmidt nor DHS have that ability.

"Just last year the White House last year moved further away from this model by moving OMB's oversight for federal security to DHS," he said. "While DHS clearly has the operational lead for protecting the .gov network, what authority do they have to oversee agency budgets and actually compel these important technical challenges be addressed? OMB could do it, but does DHS have that sufficient authority? I really question that."

OMB gave DHS more authority July 2010 over all civilian agency networks, FISMA implementation and other operational elements.

Greg Schaffer, the acting deputy undersecretary for the National Protection and Programs directorate at DHS, said OMB retains the budget authority to be the enforcement entity.

"The legislative proposal would consolidate the oversight responsibility with the operational responsibility that we have and move things in the direction that we would be given the authority to direct departments and agencies to take action to improve their security and deploy appropriate protections," he said.

But Langevin, Cummings and others said this set up isn't enough.

In fact, one of the major Senate cyber bills, sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.), would create a Senate-confirmed cyberspace policy director in the White House.

The White House proposal is not a bill yet, but should one come to the House floor without the requirement for a Senate-confirmed cyberspace director, Langevin wouldn't hesitate to introduce an amendment.

"I'm hoping that ultimately the legislation proposed in the last Congress, which was passed as part of the National Defense authorization bill, including stronger authorities for the cyber coordinator, which would be a directors position, Senate-confirmed and stronger authorities, I want to see that legislation passed," he said. "If there is another vehicle for adding a Senate-confirmed position with strengthened authorities, I would certainly consider that."

The Senate-confirmed White House official was one of two areas committee members focused on that was not in the administration's proposal.

Rep. Jason Chaffetz pressed Schaffer on the security of commercial hardware and software, and whether there have been instances of developers planting malicious code in the technologies.

Schaffer said he's aware of instances where this has happened.

"This is one of the most complicated and difficult challenges we have," he said. "The range of issues goes to the fact that there are foreign components in many U.S. manufactured devices. There's a task force that DHS and DoD co-chair to look at these issues with goals to identify short term mitigation strategies and also to make sure we have capability to maintain U.S. manufacturing capabilities over the long term."

Chaffetz said the concern is the agencies and the public don't know foreign developers are planting viruses and backdoors into software and hardware, and the government already has felt the effect of these attacks.