5 Obstacles to Infosec Reform in 2011Some Players Have Changed, But the Issues Remain the Same
Attempts to enact significant cybersecurity reform legislation failed in the 111th Congress. Will the 112th Congress be any different?
Some of the same obstacles that prevented enactment of major IT security reform linger in the new year. Here are five of them, in no order of importance:
1. Granting the federal government authority to direct the private sector on how to secure the nation's critical IT infrastructure, about 85 percent of which they own and operate.
With the Republican ascension in Congress, the conservative abhorrence to regulation is intensifying. Barring a virtual 9/11, getting IT security regulation enacted will prove tough.
2. Requiring federal agencies to establish minimal security standards for purchased IT wares.
The government already requires federal agencies to install Microsoft Windows operating system with defined security controls as part of its Federal Desktop Core Configuration initiative. But some vendors who heavily lobby lawmakers contend that if the government establishes minimal security standards for other IT wares, because of its massive purchasing power, it would establish a de facto standard for those products in the marketplace. And, the cost of securing them could drive up their price tags and, perhaps, diminish sales.
3. Who should be in charge of governing civilian agency IT security?
There's a split in Congress between those who believe that's the role of the White House and others who want to enhance the Department of Homeland Security's responsibility for civilian-agency cybersecurity governance. The House last fall passed legislation to establish an Office of Cyberspace in the White House - headed by a Senate-confirmed director - but that measure never came up for a vote in the Senate.
4. White House reluctance to endorse legislative remedies to secure critical IT.
As for a Senate-confirmed cybersecurity director, the Obama administration likes the current arrangement in which Cybersecurity Coordinator Howard Schmidt, as a presidential adviser, needn't testify before Congress, to the dismay of some lawmakers. High-ranking IT security officials from DHS spoke for the Obama administration at Congressional hearings last year, and none endorsed any of the significant IT security bills. Meanwhile, the White House instituted a number of initiatives last year to improve cybersecurity - such as requiring departments and agencies to move to continuous monitoring of IT systems to assure their safety - without the need of a new law.
5. Congressional gridlock.
Cybersecurity isn't partisan, a mantra often chanted on Capitol Hill. And, Republicans and Democrats have worked harmoniously in drafting cybersecurity legislation over the past decade. But partisan bickering over the budget, deficit, healthcare could reverberate, deafening the sounds of bipartisanship that could shape cybersecurity reform legislation.
No predictions here on whether significant cybersecurity reform legislation will be enacted in the 112th Congress, except that the processes in 2011 will feel a lot like the one in 2010.