Walden Expects to Issue Cybersecurity Recommendations Soon

The subcommittee is not headed toward legislation at this point, said Walden, adding that he’s a co-sponsor of the cybersecurity bill by House Intelligence Committee Chairman Mike Rogers, R-Mich. The Commerce Committee doesn’t want to offer legislation “just for the sake of doing it,” said committee aide Neil Fried. Walden declined comment on HR-4263, the cybersecurity bill offered Tuesday by subcommittee member Mary Bono Mack, R-Calif.

Walden supports a “light touch” approach with “oversight and continued intelligence gathering,” he said. “What we've heard consistently” is not to be “so prescriptive in legislation that you misallocate [industry] capital” or “tell the bad guys where we're headed,” he said. Walden acknowledged there are many bills and “some may be at odds” but said “it’s good that our members are engaging in this discussion and debate.” The various bills will later be “merged together appropriately,” he said.

Other subcommittee Republicans echoed reservations about regulating, during remarks at the hearing. Rep. Lee Terry, R-Neb., said he’s against giving the Department of Homeland Security rulemaking authority, as proposed by Sen. Joe Lieberman, I-Conn. Terry favors a more flexible approach and lacks confidence in DHS, he said. Terry, Walden and other Republicans praised the voluntary, industry best practices (CD March 23 p1) approved by the FCC’s Communications, Security, Reliability and Interoperability Council (CSRIC).

Government may still have a role in keeping industry accountable, said Commerce Committee Ranking Member Henry Waxman, D-Calif., joining Republicans in praising the CSRIC best practices. “For example, what if one company fails to be as diligent as others in following best practices and, as a result, causes a cyberbreach that rises to the level of national concern?” If companies want exemptions from privacy and civil liberties protections when addressing cybersecurity, they should be willing to let government hold them accountable, Waxman said.

Nine major ISPs covering 80 percent of the U.S. population have already agreed to adopt the CSRIC best practices, and the commission is working to sign up the remaining 20 percent, said FCC Public Safety Bureau Chief Jamie Barnett, touting the voluntary nature of the CSRIC best practices. The FCC is reaching out to smaller companies and the next focus of CSRIC will be to identify barriers to adopting the best practices, he said. While favoring a voluntary approach, Barnett said it’s important for government to measure the effectiveness of any method.

Collaboration with industry is important because the private sector owns most of the nation’s infrastructure, said Roberta Stempfley, acting assistant secretary in DHS’s Office of Cybersecurity and Communications. Stempfley said she supports giving DHS authority to set standards as proposed by Lieberman. NTIA supports a “multi-stakeholder approach” to coordinating the domain name system (DNS), “convening the private sector, civil society, as well as governments to address issues in a timely and flexible manner,” said NTIA Associate Administrator Fiona Alexander. She urged continued support for DNS security extensions deployment, use and adoption.

"Computer systems can never be fully trusted” and machines should be “presumed to be infected,” said Robert Hutchinson, senior manager for Information Security Sciences at Sandia National Laboratories. Security analysts focus too much on data theft when they should also consider “malicious data modification,” an attack that “will alter our data and affect our decision processes,” he said. More focus also needs to be placed on the supply chain to prevent pre-installed malware on computer systems, he said.