Lieberman lays out his cyber security plan
He's earned headlines, praise and criticism this week for his stance on health care reform, but Sen. Joseph I. Lieberman (I-Conn.) shifts gears Friday to focus on another long-brewing issue: cyber security.
The Connecticut lawmaker will publicly state for the first time his preference for a Senate-confirmed White House official to coordinate the government's efforts, saying that the Homeland Security Department should take the lead in protecting most computer networks.
"The federal government has an inherent responsibility to its citizens protect its own networks, but also to work with the private sector and ensure a reliable supply of electricity and water and the continued, orderly functioning of financial, communication and transportation systems," Lieberman will say, according to prepared remarks to be delivered at the U.S. Chamber of Commerce in Washington. (See excerpts of the speech after the jump.)
Lieberman will say the government needs the Senate-confirmed cyber security coordinator "to ensure that the classified work conducted by Department of Defense and intelligence agencies is informing the defensive actions taken by our domestic agencies."
The administration has struggled since last winter with recruiting and retaining a cyber security "czar," and said just last week that it has yet to pick a candidate.
Lieberman's preference for a White House official puts him at odds with Sen. Susan Collins (R-Maine), the ranking Republican on the Senate homeland security panel. Collins wants to give Homeland Security Department the ultimate cyber security authority, instead of a White House czar. The disagreement is notable since Lieberman and Collins maintain a close, virtually nonpartisan and mostly agreeable working relationship on the committee.
Lieberman's cyber security bill would also establish a voluntary cyber security standards program, similar to the "Good Housekeeping or "Energy Star" seals of approval.
"The idea is for the Department to be a resource not a regulator," Lieberman will say.
In addition to Lieberman and Collins' proposals, the Senate Judiciary Committee will soon hold a hearing how the Homeland Security and Justice departments are handling cyber security issues.
Leave your thoughts in the comments section below.
EXCERPTS FROM A SPEECH BY SEN. JOSEPH I. LIEBERMAN (I-CONN.) ON CYBER SECURITY:
One: I believe we need to establish a cyber security coordinator within the Executive Office of the President. This would be a Senate confirmed official, accountable to Congress who would coordinate cyber security activities across all federal agencies, provide strategic leadership and guidance to the President and have necessary authority and resources to make change as needed.
We need this kind of position in the White House specifically to ensure that the classified work conducted by Department of Defense and intelligence agencies is informing the defensive actions taken by our domestic agencies. Only the Office of the President has the authority to ensure that everyone is working off the same playbook. The person who fills this position would also develop a true national cyber security strategy and ensure that each agency’s operational activities are in line with that vision.
Two: We need to give the Department of Homeland Security the necessary authority and personnel to monitor the federal civilian networks and defend against malicious traffic. Currently DHS has this responsibility by executive order, but it lacks both the people and the cooperation from the other federal agencies to succeed. Under my proposal, DHS will develop a robust operational capability to monitor and defend the federal networks and will become a source of expertise and a force multiplier for agencies with cyber security problems.
In order to make this work, the Federal Information Security Management Act (FISMA) must be reformed to hold each agency accountable for good internal security practices. We will push agencies to move to a real-time evaluation process that is more reflective of the ever changing cyber environment. And we will empower the Chief Information Security Officers within the agencies to give them the authority and resources to do their jobs.
Three: I also want DHS to do more to help the private sector protect itself from cyber attack. First and foremost, DHS should focus on ensuring the security of the nation’s critical infrastructure, upon which our way of life depends. I am thinking of our financial and electric power, and mass transportation infrastructures controlled by cyber systems. The federal government has an inherent responsibility to its citizens protect its own networks, but also to work with the private sector and ensure a reliable supply of electricity and water and the continued, orderly functioning of financial, communication and transportation systems.
To that end, my bill will require DHS to identify the most critical cyber infrastructure and ask its operators to perform risk assessments to identify existing vulnerabilities. If problems are found, DHS will work with the companies to decide the best way to mitigate the vulnerabilities but will not mandate a one-size-fits-all strategy to bolster security. DHS will be required to develop a two-way information sharing system where the Department not only receives vulnerability and breach information from the private sector but also provides threat up-to-date information and analysis on the state of our nation’s networks.
DHS should provide guidance for small and medium sized businesses that also must protect themselves from cyber attack. Under my bill, DHS would establish a voluntary cyber security standards program and encourage members of the private sector to implement those standards through a certification program.
The idea is for the Department to be a resource not a regulator and companies implementing strong security measures might even be awarded a seal to display on their site, much like the “Good Housekeeping” or “Energy Star” seals consumers often use when making purchasing decisions.
Four: We should require new government acquisition policy and practices to tighten the security of government systems, which in turn will drive similar security innovations for products available to the public.
The Federal government alone spends over $75 billion annually on information technology – a number that will only grow, and one that gives the government enormous market influence. We must ensure that federal agencies address security as they procure IT products and services, instead of after-the-fact through costly patches or additional purchases. In doing so, we believe we can incentivize the industry to offer more secure products and services to all of their clients.
Five: Legislation should address challenges in hiring, retaining, and training cyber security personnel in the federal government. Agencies are competing not only with each other to hire these individuals, but also with the private sector. We must give federal agencies the necessary hiring and pay flexibilities to allow them to compete. Additionally, we need to develop a cyber security career path in the federal government coupled with the necessary training programs to retain these experts.
Posted by: DupontJay | October 30, 2009 1:25 PM | Report abuse
Posted by: Nymous | October 30, 2009 8:30 PM | Report abuse
Posted by: washingtonpost38 | October 31, 2009 7:25 PM | Report abuse
The comments to this entry are closed.