Proposed Office of Cyberspace would come with budget authority

The U.S. government is not as nimble as it needs to be in responding to cybersecurity threats, Rep. James Langevin (D-R.I.) told an audience of government contractors Tuesday.

“Our cyber networks are not where I want them to be,” he said. “We in government are continually playing catch-up.”

To provide the central oversight and coordinate cybersecurity policy and performance among agencies, Langevin last week introduced legislation -- H.R. 5247 -- that would establish a National Cyberspace Office in the White House with budget authority over cybersecurity spending. The director also would oversee collaboration with the private sector and with other nations.

“We absolutely do not need to start over” on security strategies and policies, Langevin said in remarks at the Cybersecurity Contracting and R&D Opportunities Summit. He gave high marks to the Comprehensive National Cybersecurity Initiative launched by President George W. Bush in 2008 and also to the efforts by the current administration to make cybersecurity a top national security priority.

But better coordination of the nation’s cybersecurity posture is needed, along with updates to the Federal Information Security Management Act and a better defined role for the military in cyber defense and offense, he said. Langevin, who chairs the House Armed Services Subcommittee on Strategic Forces, said he supports the creation of the U.S. Cyber Command, announced in 2009, although it is controversial in some circles.

“I believe it is absolutely essential,” he said. He also praised NSA director Lt. Gen. Keith Alexander, who will head the Cyber Command, which is expected to become fully operational at Fort Meade, Md., in October.

“I’m a strong supporter of Gen. Alexander,” Langevin said. “He’s the right person at the right time.”

But in spite of progress that has been made toward better protecting the nation’s information infrastructure, “in my opinion, Congress is moving too slowly on this issue,” he said.

For that reason he introduced the Executive Cyberspace Authorities Act of 2010 (H.R. 5247), which was referred May 6 to the House committees on Oversight and Government Reform, Armed Services and Permanent Select Intelligence.

Under the bill, the National Cyberspace Office would be the focal point for coordinating efforts to assure a reliable, secure and survivable information infrastructure for government. The director would require Senate confirmation, would have a seat on the National Security Council and would coordinate defense of government networks in case of any attack.

Among its primary duties would be “developing and overseeing the implementation of policies, principles, standards and guidelines on information security.” Perhaps most significantly the office would review and approve or disapprove agency cybersecurity budgets. The budgets would be submitted to the office before going to the Office of Management and Budget. The budget proposal would include a review of IT threats faced by the agency, plans for defending against these threats, a review of previous year’s plan, and credentialing activities for identity management and access control.

The Defense Department and CIA would exercise the Cyberspace Office’s authority over their own mission critical systems, and the office would not have authority over national security systems. The office would coordinate with agencies operating national security systems, however, to ensure that security standards developed by the National Institute of Standards and Technology for the rest of government are complementary with those for national security systems.

Langevin’s bill joins a host of other bills pending in the House and Senate to reform and update the nation’s cybersecurity policies. With priorities being given to reform of financial industry regulation and climate change legislation, chances of passage of these cybersecurity bills before this fall’s congressional elections are considered slim.