Federal cybersecurity officials on Wednesday gave lawmakers a sobering warning about the vulnerabilities of critical information technology systems across the public and private sectors, describing a laundry list of threats and the challenge of keeping up with hackers who are continually seeking new methods of attack.
Appearing before a House subcommittee, cybersecurity authorities from the Department of Homeland Security, the Federal Communications Commission and other government arms testified to the work their agencies are undertaking in response to the ongoing threats, both internally and in concert with the private sector, but acknowledged that the challenges remain formidable and appealed for expanded government authority to shore up the nation's digital defenses.
"Cybersecurity threats are a real and present danger to our current economy and well being," retired Adm. James Barnett, chief of the FCC's Public Safety and Homeland Security Bureau, told members of the Energy and Commerce Committee's Subcommittee on Communications and Technology. "No one would tolerate the level of criminality, thievery, vandalism or invasion of privacy if it were done in the physical world, and we really can no longer afford to tolerate it in cyberspace."
Barnett and other witnesses described a wide range of threats and vulnerabilities that imperil communications networks, including weaknesses in the domain name system, or DNS, man-in-the middle attacks, route hijacking and weak spots in the supply chain.
But while there is broad agreement that the threats are severe and constantly evolving, deep divisions arise in the policy debate over what role the federal government should play in developing and overseeing the nation's digital defenses.
The Department of Homeland Security is at the center of that discussion. In the Senate, competing bills have emerged to address the cybersecurity challenge. One proposal, backed by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), would grant DHS new authorities to oversee private-sector digital infrastructure that was deemed critical. A competing bill takes a far more limited approach, focusing instead on facilitating the sharing of information about cyber threats among public and private entities. The Republicans backing that measure, the SECURE IT Act, have been sharply critical of DHS' performance on many security fronts, including cybersecurity.
Those same suspicions were on display in Wednesday's House hearing. Rep. Mary Bono Mack (R-Calif.), who yesterday introduced the companion bill to the SECURE IT Act in the lower chamber, cited the department's handling of the Chemical Facility Anti-Terrorism Standards program, which she said has squandered hundreds of millions of dollars without measurably improving the infrastructure of the chemical sector. How, then, could DHS be trusted to oversee cybersecurity?
Roberta Stempfley, acting assistant secretary for cybersecurity and communications at DHS, acknowledged the department's missteps with the chemical program, but said that the differences between the two industries are "profound," and noted the extensive work that DHS has already done in the cybersecurity arena, where it is the lead agency in charge of securing the systems on the civilian side of the federal government.
Bono Mack's frustration was evident.
"With all due respect, I didn't really hear an answer in your answer," she shot back. "I think you've rattled off quite a list of acronyms, but I don't know that my constituents would feel safer by the list of acronyms that you have used."
The witnesses representing government agencies each endorsed the expanded regulatory authority that the Lieberman-Collins bill would grant DHS, adding to the ranks of senior administration officials who have spoken out in support of the legislation.
But even as the Senate is poised to take up the Lieberman-Collins bill in a floor debate, any legislation that includes the DHS provisions would face vehement opposition in the Republican-controlled House. Time and again, critics have argued that the federal government is not agile enough to oversee such a rapidly evolving area as cybersecurity, and that expanded regulatory authority would shift scarce industry resources from defense to compliance, with the perverse outcome of actually undermining security.
"Frankly, putting an agency in charge of developing rules, even with collaboration, is dooming that industry," said Rep. Lee Terry (R-Neb.).
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about government in CIO's Government Drilldown.