DHS Cybersecurity Official Urges Congress to Pass Liability Protections, Ease Federal Hiring
Action from Congress on liability protections and improvements to federal hiring will aid the Department of Homeland Security in its work to strengthen public-private partnerships on cybersecurity, said Phyllis Schneck, DHS deputy undersecretary-cybersecurity, during a Senate Homeland Security Committee hearing Wednesday. The hearing focused on how DHS, the National Institute of Standards and Technology and critical infrastructure entities have been implementing President Barack Obama’s 2013 cybersecurity executive order. NIST released its “Version 1.0” Cybersecurity Framework in mid-February, while DHS began to encourage voluntary industry use of the framework at the same time through its Critical Infrastructure Cyber Community program (WID Feb 13 p1).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Liability protection is widely seen as one of the key issues that comprehensive cybersecurity legislation will need to address, but Congress has been unable to pass any significant cybersecurity legislation in the 113th Congress. Industry observers say they believe there are minimal prospects for cybersecurity legislation to pass during the remainder of this year (WID Jan 6 p2). Several members of Senate Homeland Security noted that lack of legislative progress Wednesday, with Sen. John McCain, R-Ariz., saying the Senate has been addressing the issue in a “circular fashion.”
McCain said he continues to advocate for the formation of a select committee to address cybersecurity, saying part of the lack of legislative progress stems from cybersecurity’s inclusion in the legislative portfolio of multiple committees, including the Senate Intelligence Committee, the Senate Armed Services Committee and the Senate Commerce Committee. He urged the formation of a select cybersecurity committee at a Senate Armed Services Committee hearing in late February (WID Feb 28 p8). It’s up to Congress to determine which committees oversee cybersecurity issues, said Stephen Caldwell, the Government Accountability Office’s director-homeland security and justice issues.
Part of Congress’s difficulty in passing legislation on cybersecurity liability protection has been the lack of a consensus on what the scope of that protection should be, said Senate Homeland Security Chairman Tom Carper, D-Del. The White House backed limited liability protections, while Republicans have favored general liability protections. Schneck, former chief technology officer at McAfee, said she would have welcomed new cybersecurity protections while at McAfee because company lawyers often were apprehensive about allowing information sharing with other security companies, critical infrastructure agencies or the government. The more limited liability protections the White House has advocated make sense because of the need to protect citizens’ civil liberties and data privacy, Schneck said.
Committee Republicans argued Thursday that more expansive liability protections were necessary. Committee ranking member Tom Coburn, R-Okla., said limited liability protections would be ineffective and would not strengthen DHS public-private partnerships in the way Schneck advocated. If liability protections are allowed only on an incident-by-incident basis, “we're going to lose this battle,” Coburn said. Sen. Ron Johnson, R-Wis., advocated “erring on the side of too much liability protection,” which he said would hurt only trial lawyers.
Congress should ease DHS’s hiring processes to encourage more candidates to apply for cybersecurity jobs, Schneck said, saying “from what I'm told, the hiring process is very, very difficult.” It’s also difficult to attract top cybertalent to the agency because the private sector offers salaries that can result in “six-figure differences,” Schneck said. DHS can partially overcome that pay gap because of its unique mission, but “we have to have the flexibility and some additional competitiveness to bring them inside and see what we do and get them onboard,” she said. “That’s our future.” Coburn pledged to give DHS “the capability to hire the people you need,” saying the committee plans to consider a bill at its next markup session that would ease some federal hiring restrictions.