Compelling Compliance Via RegulationsSenator Speaks Out on Funding Cybersecurity Initiatives
"How can the nation afford not to have what we are trying to accomplish under the Cybersecurity Enhancement Act," the New Jersey Democrat says in an interview with GovInfoSecurity.com Eric Chabrow (transcript below).
Along with Reps. Michael McCaul, R-Texas, and Dan Lipinski, D-Ill., Menendez introduced the legislation June 7 that would boost cybersecurity research and the federal IT security workforce through scholarship programs and enhancing standards (see Congress Resurrects Cybersecurity Enhancement Act).
The Congressional Budget Office has yet to put a price tag on the bill, but last year, when the House passed a nearly identical measure - it never came up for a vote in the Senate - the CBO estimated its cost at $1 billion.
Menendez says the bill will get the best bang for the taxpayer buck by encouraging coordination and prioritization for research and development, improving the transfer of cybersecurity technologies to the marketplace and promoting cybersecurity education and awareness for the public.
The senator wouldn't put odds on whether his bill would pass in the current Congress, but says he's cautious optimistic that comprehensive cybersecurity legislation - including the Cybersecurity Enhancement Act - would be enacted in the Senate, noting that two influential panels the Homeland Security and Governmental Affairs Committee and the Commerce, Science and Transportation Committee are moving forward with IT security legislation.
In addition, he says, large-scale breaches like Citigroup and others demonstrate the need for new cybersecurity laws, including breach notification (see Citi Breach: 360K Card Accounts Affected). "In the absence of that, we will push the regulators to make sure that there's timely notification."
Menendez, 57, served as member of the House of Representatives for 13 years until he was appointed to the Senate in January 2006 to replace Jon Corzine, who had just become New Jersey's governor. He was elected to a full, six-year term in November 2006.
Menendez also serves on the Finance and Foreign Relations committees. He chairs Banking's Subcommittee on Housing, Transportation and Community Development and Foreign Relations' Subcommittee on Western Hemisphere, Peace Corps and Global Narcotics Affairs.
Senate HackedERIC CHABROW: Before we get to the Cybersecurity Enhancement Act, first I would like to ask you what your thoughts were when you heard last week that the Senate computers were hacked.
ROBERT MENENDEZ: This is one of a series of challenges in the tax that have made it more pressing than at any other time to make sure that cybersecurity is being pursued rigorously and seriously, and that we treat this as any other national security risk. And certainly, when the Senate computers are subject to that, with all of its information that flows not only in terms of constituency but critical information that flows back and forth between the executive branch and the legislative branch, it just makes the case why we need to be vigorous in our enforcement.
Cybersecurity Enhancement ActCHABROW: Going to the Cybersecurity Enhancement Act, simply the bill calls for enhancing government IT security standards, fostering cybersecurity research and development and creating scholarship programs to get more students to study IT security. It also calls for the administration to conduct an assessment of the government's cyber security workforce needs. The congressional budget office has you have to calculate the cost of this measure, but a similar bill that passed the house last year carried a price tag of about a billion dollars. At a time when government has reached its limit and huge spending cuts are being sought, how can the nation afford this bill?
MENENDEZ: Well I would simply answer, how can the nation afford not to have what we are trying to accomplish under the Cybersecurity Enhancement Act? When I look at financial institutions like Citibank, when I look at the World Bank, when I look at threats against the Pentagon, when I think about if any of those efforts of cyber hacking were to be fully realized, the potential risk, when I think about our electric grid, and when I think about refineries on the grid, I say to myself, "Just have them be successful once and we will be howling about why the government didn't prepare itself for such an eventuality." Then we will be dealing with the consequences far beyond the cost that is pertinent to trying to have a skilled federal workforce making sure that we have the research and development that is necessary to provide for the ability to fight off any hacking opportunities, and also improving the transfer of cybersecurity technologies to the market place. And that means we're going to both save money in the market place and ensure that we can commercialize this ability to protect ourselves from cyber attacks in a way that is incredibly important to the nation's economy.
CHABROW: Whether it's your bill or other bills that are before Congress, it's going to take a lot of money to secure IT, not only in the government but in the nation too. Should cybersecurity be seen differently than other types of spending? Should it be seen more like the way the government treats defense, where cuts are hard to do?
MENENDEZ: Anything today, even defense, we're looking at significant reductions that even Secretary Gates calls for based upon argue threats today vs. the Defense Department that we've created over the years in terms of past defense of states. We're more against fighting stateless terrorists, and that's also the challenge for us in many respects to cybersecurity. The question is, how do we do this in a way that both is cost sufficient and at the same time deals with the proactive view of how do we have the prevention that would avoid us spending a lot more in the long term?
When I look at what our bill does, and what other bills do, in my mind we are focused on maximizing the potential with the least possible cost. Why do I say that? Because part of what we do is encourage coordination and prioritization of federal cybersecurity research and development. We improve the transfer of cybersecurity technologies to the marketplace and we promote cybersecurity education and awareness for the public. Now, not all of that necessarily means money. On the contrary, we create coordination and prioritization of R&D. When we improve the transfer of cybersecurity technologies to the marketplace, I think we can realize savings.
Also, when looking at the three main federal drivers, the National Science Foundation, the Department of Defense and the Department of Homeland Security, to cooperate in developing a research and development plan that is anticipatory instead of reactive, I think that's also very important, as well as coordinating these agencies' actions so that we don't have duplication and waste. In those respects, we are actually pursuing both our national interest in terms of our cybersecurity as well as doing it in a responsible way.
Passing a Cybersecurity BillCHABROW: The bill that you're sponsoring, a very similar goal passed the House last year but didn't pass the Senate. In fact, the Senate has not passed any significant cybersecurity legislation in several years. Is this Congress going to be any different?
MENENDEZ: I think so. This legislation passed the House 422 to 5, and that's about the most robust bipartisan vote you could ever get on any issue these days. I see the efforts underway in the Senate different than us, but none the less with Senators Lieberman and Collins, Rockefeller and Snowe, that's a good bipartisan effort. When I see that Senator Reid, the majority leader, has made cybersecurity a priority, I believe that we're going to have a process that brings these legislations to the floor. And I will push for inclusion of these provisions and whatever moving legislation exists. And I think that those are likely to be done, I certainly hope in this session this year.
CHABROW: Any odds with that?
MENENDEZ: I don't go through odds because I've seen so much happen that the unexpected comes along. You have an earthquake or a tsunami in Japan. You have Gaddafi bombing civilians and all of a sudden that takes over the center stage of the nation and Congress's attention. I wouldn't give it odds, but I think that considering the Senate Homeland Security Committee and the Commerce Committee with Sen. Jay Rockefeller, which are the two main committees of jurisdiction, are moving forward with legislation, and the majority leaders' own views are that this is something that's of national priority, it all bowls well for moving this year.
CHABROW: Could your bill be incorporated into their bills?
MENENDEZ: Yes it could be.
CHABROW: That's a likely route it'll probably go if it does get enacted?
MENENDEZ: My successes in various pieces of legislation have been by using a moving vehicle, something that's going to the Senate vs. hoping that it'll go through a whole committee process and what not. I think that our efforts that passed overwhelming in the House will be complimentary to any other efforts that will come to the floor from those two committees.
Breach NotificationCHABROW: You are a member of the banking committee and you've asked the Office of the Comptroller of the Currency to investigate the recent breach at Citicorp and point out the bank failed to notify immediately hundreds of thousands of customers whose accounts were exposed. How tough should the government get to make sure banks or any businesses do a better job, not only protecting their customer's accounts and personal information, but to notify them when a breach occurs?
MENENDEZ: I would hope that the financial institutions on their own initiative would both be protecting against cyber attacks and certainly notifying their customers about breaches that take place that include financial and personal information, in this case, several hundred thousand bank cardholders. If the public reports are true that Citigroup waited weeks before notifying customers of their breach that is unacceptable. It seems to me that as a minimum, regulators should insist that financial institutions in short order notify their customers of any breach so that they can take appropriate actions in protecting their own identity and information that may very well create a risk to them. I'm dismayed that, from not only this incident but others at various times, for some reason these institutions are reluctant to tell their customers in a timely fashion. I think that has to end. I would love to see it as an industry initiative. But in the absence of that, we will push the regulators to make sure that there's timely notification.
Also, what do the regulators know and when do they know it? Because obviously they should be very much aware of what is happening as well. Those are all the types of questions we've asked the Office of the Comptroller of the Currency.
CHABROW: Is this something where you feel the regulators have the authority to make sure that this breach notification, as well as other IT security standards, are implemented by banks?
MENENDEZ: I believe they do. But one of the questions that we've posed is if you don't feel that you have the regulatory authority to both be notified in a timely basis and/or to be made aware of the efforts of the standards in the industry as it relates to cybersecurity, then let us know. Because we may very well consider giving you that power if you believe you don't have it. I believe they have it, but I will wait to see what the regulators say.