Cyber leadership void in Congress undermining efforts to address concerns
By James Norton
With August recess and the end of the fiscal year looming, congressional leaders say they are focused on cybersecurity. They are focused on the private sector as they work to collaborate on legislation that would bolster information sharing between the government and corporations. They are focused on the Executive Branch as they review the results of the White House’s 30-day “cybersecurity sprint.” But to truly address our cybersecurity vulnerabilities, Congress must turn its focus within.
Consider three recent cybersecurity issues and Congress’ response. As the government has disclosed, the cyber attack on the Office of Personnel Management (OPM) compromised the personal information of more than 21 million federal employees, contractors, and legislative leaders. Congress is now running a read-and-react playbook, scrambling to get movement on any cybersecurity bill. The most viable bill appears to be the cybersecurity Information Sharing Act (CSIA), which would bolster information sharing between the government and the private sector through liability protection.
It may be a good policy to implement; however, it remains unclear what—if anything—the CSIA would do to prevent another cyber attack on the federal government. Furthermore, the CSIA is, at best, a piecemeal fix at a time when comprehensive reform is desperately needed.
Just last week, the Department of Defense requested a whopping $4.5 billion be reprogrammed in the wake of OPM attack. To put it into perspective, that amount is four times as much as the Department of Homeland Security (“DHS”) spends on cybersecurity in an entire year. It seems staffers will handle this reprogramming request, without the benefit of hearings and public debate. If so, taxpayer dollars once again will be thrown at the cyber problem without real scrutiny as to whether they will be used efficiently and effectively.
This week brought the news that DHS’s political leadership—including the Secretary himself—may have exposed the department to vulnerabilities by using personal e-mail accounts on government desktops. There is no indication that those in Congress charged with overseeing DHS knew top-level officials were being granted exemptions from the Department’s ban on the use of personal e-mail.