The Department of Homeland Security will delay an intrusion detection program to protect U.S. government computers from cyber-attacks and has canceled cybersecurity exercises, Secretary Janet Napolitano said today.
Across-the-board budget cuts known as sequestration are also slowing the agency’s ability to fill vacancies in cyber incident response teams and disrupting the government’s broad efforts to boost cybersecurity, Napolitano said at a Senate hearing.
“Sequester reductions require us to scale back the development of critical capabilities for the defense of federal cyber networks,” Napolitano said. “Further action is needed by Congress including immediate action to address the sequester if we are to meet our responsibilities.”
The secretary spoke at a hearing to examine President Barack Obama’s executive order on cybersecurity and whether congressional legislation is needed. The Feb. 12 order is aimed at protecting vital computer systems that run the power grid and air-traffic-control systems from digital sabotage.
Republicans questioned whether the government is capable of carrying out the executive order given its own problems dealing with computer threats.
The federal government’s record managing cybersecurity “begs the question about them directing what the private sector should do,” John Thune of South Dakota, the top Republican on the Senate Commerce Committee, said at the hearing.
The government shows persistent shortcomings in assessing cybersecurity risks, developing programs and monitoring results at federal agencies, Gregory Wilshusen, director of information security issues at the Government Accountability Office, said in testimony at the hearing. The government lacks a centralized information-sharing system and DHS hasn’t yet developed predictive analysis on cyber threats, he said.
Obama’s order directs the government to develop a set of voluntary cybersecurity standards for critical industries and increase sharing of threat information with the private sector. It instructs federal agencies to consider making the standards binding for critical industries they oversee.
The executive order doesn’t establish incentives for participating in voluntary programs and a “suite of legislation” is needed, Napolitano said.
“While I commend the president for issuing this very important order, there was only so much he could do using the authorities granted to him under existing law,” Tom Carper, chairman of the Senate Homeland Security and Governmental Affairs Committee, said in an opening statement. “Those authorities are simply not enough to get the job done.”
Congress can do more to encourage companies to share threat information with each other and the government, and offer incentives such as liability protection for critical industries to improve defenses, said Carper, a Delaware Democrat. Lawmakers can also modernize federal-agency security rules, boost recruitment of cybersecurity workers, and better coordinate research and development efforts, he said.
Carper and Senate Commerce Committee Chairman Jay Rockefeller, a West Virginia Democrat, led today’s hearing. Both sponsored a cybersecurity bill blocked last year by Senate Republicans who said its proposed cybersecurity standards would lead to burdensome regulation.
The U.S. Chamber of Commerce and companies including AT&T Inc. and Comcast Corp. support a bill from House Intelligence Committee Chairman Mike Rogers that focuses solely on cyber threat information sharing, giving legal protection for companies that share such data with each other and the government. Rogers, a Michigan Republican, and the intelligence panel’s top Democrat, Representative C.A. “Dutch” Ruppersberger of Maryland, reintroduced the measure last month.
Obama threatened to veto the Rogers bill the day before it passed the House last year, saying the measure didn’t go far enough to boost computer defenses and failed to protect the privacy of sensitive consumer data.
Napolitano said the House bill has privacy “deficiencies” and puts information sharing under the National Security Agency, a military agency, when it should be under civilian-agency oversight.