Earlier this week, the Senate Homeland Security and Government Affairs Committee (HSGAC) introduced a cybersecurity bill that would outline the Department of Homeland Security's responsibilities for overseeing cybersecurity at privately-owned critical infrastructure organizations.
Unfortunately, some members of the Senate believe that this legislation is being rushed through Congress without the appropriate level of vetting. One Senator released the following statement: "Rather than rush into a massive bill that could have unintended consequences and may not address the problems it is supposed to, the American people would be better served by holding hearings and a markup so that members of both parties can make informed decisions about cybersecurity legislation."
Here we go again! Before our eyes, Congress is prioritizing politics over a pressing issue with national security implications. Of course this legislation isn't perfect, but:
- No one is rushing this bill anywhere. The statement above gives the impression that this bill came out of nowhere but that's completely erroneous and somewhat deceptive. In truth, the roots of this bill have been debated for at least 4 or 5 years now. Congress had an opportunity for deliberation; it is now time to act.
- The bill had bipartisan support in committee. Okay, let's suppose that there are legitimate differences of opinion about cybersecurity along party lines. A likely assumption, but this bill has already passed through the partisan ringer and exited committee with bipartisan support from people who've studied the issues at hand. Isn't that what committee members are supposed to do BEFORE introducing legislation to the Senate?
- Security professionals working at critical infrastructure organizations want Federal action. At the end of 2010, ESG surveyed security professionals working at critical infrastructure organizations and asked them if they thought that the U.S. Federal Government should be more involved with cybersecurity. Thirty-one percent said that the feds "should be significantly more active with cybersecurity strategies and defenses," while 40% indicated that the Federal Government should be "somewhat more active with cybersecurity strategies and defenses" (note: This report is available for download on the ESG site). If the most knowledgeable cybersecurity practitioners from critical infrastructure organizations believe that the government should act, doesn't that tell you something?
In speaking to Congress about cybersecurity risks to the U.S. critical infrastructure, the Deputy Defense Secretary warned Congress about a potential "digital Pearl Harbor." That was in 1998. Yes, we've made some progress but not nearly enough - especially in light of the ever more ominous cybersecurity threats we face.
I know I am being dogmatic here but I've read the bill and know the topic quite well. The bill is far from ideal but I think the American public can live with it and of course we can fine-tune the provisions over time. Therefore, I believe that it is time for Senators (who really don't understand this issue) to stop using the public as a political/digital sacrificial lamb, and pass legislation.
What do you think? Take the ESG Opinion Poll to let us know.
You can read Jon's other blog entries at Insecure About Security.