White House Shifts Its Cyber Legislative StrategyEmphasis Will Be on Smaller, Not Comprehensive Legislation
The Obama administration is shifting its strategy to get Congress to enact meaningful cybersecurity reform.
See Also: Case Study: The Road to Zero Trust
Speaking at a forum Oct. 9, sponsored by the Christian Science Monitor, White House Cybersecurity Coordinator Michael Daniel says the administration will abandon its efforts to seek passage of a comprehensive cybersecurity measure in favor of smaller, more tailored bills.
"I do think it will probably be easier for us to get smaller pieces of cyber-legislation rather than one, giant comprehensive bill," says Daniel, a special assistant to the president. "So, a lot of our efforts are involved in getting whatever we can passed on whatever vehicle we can manage to get it attached to, as long as the policy and the legislation itself is acceptable. So, I think, that's one thing I would say that we're trying a different way of going about it."
Daniel, at the forum, also addressed the White House reaction to recent bank breaches and law enforcement concerns over the hard-to-crack encryption in the new Apple iPhones.
Working with the Democratic-controlled Senate, the administration over the past few congresses has backed comprehensive cybersecurity legislation that has never come up for a floor vote. However, the Republican-led House of Representatives has passed a series of cybersecurity bills with bipartisan support, including measures to encourage cyberthreat information sharing between the government and business and reforming the Federal Information Security Management Act, the law that governs federal government IT security.
Lawmaking is a Challenge
Daniel says the White House is committed to getting cybersecurity legislation enacted before the current Congress adjourns at year's end. "But obviously, getting anything passed on Capitol Hill right now is quite a challenge," he says. "We try to be realistic, but it's something that we still remain heavily engaged in."
The Senate has not scheduled any votes on cybersecurity legislation, and many people who track cybersecurity legislation have expressed doubts that Congress will act this year (see Expectations Low for Cyber Legislation).
It is unclear whether compromise can be reached between the White House and the House over several key pieces of cybersecurity legislation. The administration has threatened a presidential veto of the House-passed cyberthreat information sharing bill, the Cyber Intelligence Sharing and Protection Act, because it believes the measure provides insufficient privacy safeguards and furnishes too broad liability protections to businesses that share cyberthreat data (see White House Threatens CISPA Veto, Again). Regarding FISMA reform, the White House has backed legislation to give the Department of Homeland Security sway over civilian agencies' IT security activities, provisions the House bill lacks (see FISMA Reform Awaits Another Day).
Monitoring JPMorgan Chase Breach
During the forum, Daniel was asked, but didn't provide much additional insight, about a report that the White House had been closely following suspected attacks on banks since the summer, as tensions between the U.S. and Russia continue to rise. The report also says President Obama and his top national security advisers have been asking about the motive behind the attack on JPMorgan Chase (see Chase Breach: Who Else Was Attacked?).
Daniel says he couldn't provide details because of a continuing investigation by the FBI and Secret Service. "Part of our job on the National Security Council is to make sure the president and his senior advisers remain informed about a wide array of national security threats that confront the country," he says. "That was the context we were treating this particular issue.
"It is something that we pay attention to in the sense that we are mindful of all the threats to our critical infrastructure, whether you're talking about the financial sector, the electric sector, the telecommunications sector, so put into that broader context, anytime we see specific targeting or successful penetrations of those kinds of companies, it's something we're going to engage on."
Encryption: Policy Tension
Responding to a question, Daniel sympathized with objections raised by Attorney General Eric Holder and FBI Director James Comey that Apple's new iPhone and forthcoming Android mobile phones have data encryption so sophisticated that law enforcement with search warrants would not have access to the data. But the cybersecurity coordinator also noted the advantages of and need for industry to create stronger encryption (see Apple iOS 8 Reboots Privacy, Security).
"It's not so much in encryption itself, it's how is it that the government and our law-enforcement agencies [can] continue to gain access to information in the course of an investigation in a court approved process in a way that doesn't put something completely beyond the reach of law enforcement?" Daniel asks. "Even things that are in safes and other places are reachable by search warrant, in many cases, and so we don't want to have something that puts it utterly beyond the reach of law enforcement in appropriate circumstances.
"On the other hand, I think clearly we need to improve the use of encryption and how we employ it, and in many cases that would be very beneficial in protecting our intellectual property. This is a very hard area. We've had debates about encryption going back decades, probably as long as there has been encryption. ... This is going to continue to be a policy tension that we're going to have to try to navigate."