The House Energy and Commerce Committee and the Subcommittee on the Internet held back-to-back hearings on May 21 focused on “Cyber Threats and Security Solutions” and “An Examination of the Communications Supply Chain” in what was a marathon day of testimony.

The first hearing consisted of two panels. The first panelist was Patrick Gallagher, undersecretary of commerce for standards and technology and director of the National Institute of Standards and Technology (NIST). He testified alone.

Gallagher spoke at length about NIST’s efforts to develop a “voluntary policy framework to reduce cybersecurity risks to the country’s critical infrastructures, pursuant to President Obama’s executive order (EO) issued on February 12, 2013, entitled ‘Improving Critical Infrastructure Cybersecurity.’” NIST is tasked with developing a cybersecurity framework to serve as a voluntary, performance-based set of standards for critical infrastructure providers as promulgated by the EO.

Gallagher stated that once the EO was released, NIST issued a request for information (RFI) to solicit comments and input on how such a voluntary framework should be developed. Gallagher stated the agency received hundreds of responses as a result of the RFI.

During his testimony, Gallagher affirmed NIST’s support for a voluntary framework – as opposed to a regulatory mandate – to protect critical infrastructure systems because the dynamic nature of cyber-threats requires a framework that is nimble and adaptable to new and emerging threats. The agency’s policy position is that a voluntary approach is best suited for the rapidly changing world of cyber-threats and attacks.

The second panel consisted of six industry representatives from the critical infrastructure community. The panelists were largely in support of a voluntary framework for protecting the nation’s critical infrastructure systems against cyber-threats and attacks.  There was also unanimous support for the recently passed House legislation entitled “the Computer Intelligence Protection Act of 2013” (CSIPA).

The third and final panel was convened by the House Energy and Commerce Subcommittee on Communications and Technology, chaired by Congressman Greg Walden. This hearing focused on “Cybersecurity: An Examination of the Communications Supply Chain.” This panel included seven speakers representing the IT sector. The purpose of the hearing was to focus on “challenges in securing the communications supply chain, what steps industry is taking, and what role standards organizations, public private partnerships and the government might play.” There was unanimous agreement from the panelists that the federal government should not implement any new regulations aimed at the communications supply chain. 

Several of the panelists were concerned that any attempts to regulate how providers, manufacturers and vendors manage the communications supply chain ecosystem could have a domino effect on a global scale. U.S. legislation of the communications supply chain could cause countries such as China and India impose new communications supply chain regulations to force American companies to reveal proprietary and trade secret information under the banner of supply chain security.

Instead, the industry advocated in favor of voluntary global standards framework. The benefits of a voluntary approach would be a more readily adoptable set of international security standards. A global voluntary security framework also incentivizes world economies to participate in the development of international security norms for the protection of the global communications supply chain, which allows for the global consumption of American-made goods and services.

Debate unfolded this week on the House floor on the bipartisan Cyber Intelligence Sharing and Protection Act (CISPA), sponsored by Representatives Mike Rogers (R-Mich) and Dutch Ruppersberger (D-MD). Representative Bob Woodall (R-GA) gave an impassioned speech on the importance of preserving consumer privacy while also advocating for the passage of CISPA as a tool to protect against foreign nation actors that form “teams of cyber warriors led by nation states focused on stealing U.S. technology and intellectual property.” Republicans in favor of CISPA argue that in the absence of adequate controls to share cyber-threat and attack information between the private and public sector, the U.S. economy will continue to be vulnerable to foreign espionage and theft of American trade secrets and intellectual property. Ruppersberger argued, “If you don’t have security you don’t have privacy.”

Democrats largely led the opposition to CISPA. Congressman Doc Hastings (D-FL) argued that CISPA as currently written is a back door toward the violation of Americans civil liberties. The majority of representatives that oppose CISPA cite privacy concerns. They argue that CISPA allows the federal government and the private sector to potentially share personally identifying information belonging to law-abiding citizens. There are a total of 12 amendments that will be debated this week largely aimed at strengthening the privacy provisions of CISPA.

The bill is expected to go to the floor to a vote on today.

Click here for a summary of the 12 CISPA amendments.

This week, three cyber-security-related bills were passed by the House of Representatives. Three in particular were introduced “under suspension,” meaning that these bills are generally considered less controversial and, as such, receive less time for debate but require a two-thirds majority vote for passage. All three bills passed with overwhelming bipartisan support.

Coinciding with an op-ed published this week in Politico, Representatives Darrell Issa and Elijah Cummings, the chairman and ranking member of the House Committee on Government Reform and Oversight, introduced “the Federal Security Amendments Act 2013” or H.R. 1163.

In the op-ed, the congressmen point out that the “check-the-box mentality” for protecting the federal government’s IT infrastructure is inadequate for a tech-savvy world of cyber-hackers. The current Federal Information Security Management Act (FISMA) was passed in 2002, which is an eon ago in the tech world.  

However, the federal government remains the world’s largest purchaser of IT products and services with an annual spend estimated at $74 billion. Comprehensive FISMA reform would have a spill-over effect across the entire IT ecosystem. With such a large IT footprint, the federal government’s cyber-security practices reverberate across the IT sector and ultimately our economy. 

The second bill was “the Cybersecurity Enhancement Act” or H.R. 756. Like FISMA, the bill is not a new one for Congress. In fact, the legislation was passed in 2010 and 2012 by the House with broad bipartisan support but never got off the ground in the Senate. The legislation addresses key components of cyber-security research and development along with cyber-security workforce needs.

Among other things, the legislation: 

• Addresses coordination in government, providing for a strategic plan to assess the cyber-security risk and guide federal cyber-research and development; 
• Updates the National Institute of Standards and Technology (NIST) responsibilities to develop security standards for federal networks and processes for agencies to follow; 
• Establishes a federal-university-private-sector task force to coordinate research and development and improve training of cyber-professionals; and
• Continues cyber-security research and development programs at the National Science Foundation (NSF) and NIST.

The lead sponsors of the bill, Congressman Michael McCaul (R-TX) and Congressman Dan Lipinski (D-IL), have been committed to this legislation for several years. As members of the cyber-security and IT community, we are grateful for their dedication to this critical issue. We encourage the Senate to review this legislation as a stand-alone bill or as part of a comprehensive cyber-security passage.  

The third bill that was passed under suspension is “the Advancing America’s Networking and Information Technology Research and Development Act of 2013” or H.R. 967. This bill seeks to update the Networking and Information Technology Research and Development (NITRD) program. NITRD is the main program for coordinating unclassified networking and information technology research and development among federal agencies.    

We applaud the House for moving forward with three bills related to cyber-security and look forward to continuing to work with the various committees as new legislation is introduced over the course of the session.

Last Thursday, the House Intelligence Committee voted the “Cyber Intelligence Sharing and Protection Act” (CISPA) out of committee by a vote of 18-2. The bill is headed for a floor vote this week.

In a nutshell, CISPA allows for private sector companies such as Internet service providers and telecommunications companies to share information with federal agencies about online cyber-threats and attacks.

The bill is controversial because consumer protection groups and civil liberty organizations are concerned that the private sector will share user information with federal enforcement agencies. An additional concern is that this information can be shared with the National Security Agency (NSA), which is part of the Department of Defense. Civil liberty groups argue that the military shouldn’t be able to operate on U.S. soil against American citizens. Moreover, under CISPA, companies would receive immunity from liability for sharing warrantless information about cyber-threats and attacks with U.S. enforcement agencies. An online petition has over 100,000 online signatures opposing the legislation.

As a result, CISPA has gone through several iterations through amendments. The current CISPA draft would require any information provided to the federal government to be stripped of any personally identifying information belonging to users. In addition, the new regulation would not “expressly require” private companies to share cyber-threat and attack information with NSA. However, it would also not prohibit private sector companies from sharing cyber-threat and attack information with NSA.

Currently, the industry is divided over whether to support or oppose the legislation. Companies such as Verizon, IBM, McAfee and Oracle support CISPA. On the other end, Reddit is leading the charge against CISPA and is urging tech giants such as Google and Twitter to oppose the proposed law.

The bill still has to survive a floor vote this week. The Obama administration has indicated that it still has concerns with the current iteration of CISPA. Stakeholders on both side of the issue are mobilizing in anticipation of the vote.

Congress failed to pass major cyber-security reform during the 2012 legislative session. In the Senate, Democratic Majority Leader Harry Reid (D-NV) pushed the “Secure Act of 2012” to a floor vote, but failed to get the necessary votes. In the House, Republican Majority Leader John Boehner (R-OH) advocated for a cyber-security reform through a series of individual bills as opposed to one comprehensive bill as a step toward enhancing America’s defenses on cyber-security.

At the start of 2013, we have seen a reboot of the discussion on the need for cyber-security reform, but each chamber is taking the same approach as last time, with the Senate seeking to push one major bill and the House seeking to push several individual bills.

However, there are two new developments in 2013 that may push Congress to act. First, earlier this year the Obama Administration issued an executive order on cyber-security directing federal agencies to improve their cyber-security efforts, including the sharing of information about cyber-threats and attacks with the private sector.

Second, the Obama Administration undertook a more direct role by publicly raising concerns with the Chinese government about cyber-security attacks on U.S. interests.

These developments have raised the stakes on Congress and the IT industry to do more to ensure the passage of cyber-security reform. There is recognition that the U.S. economy is vulnerable to a major cyber-security attack from abroad, so the sense of urgency on the Hill is real.

To address the need for cyber-reform, the House Leadership has announced that April 15 to 19, 2013, will be “cyber week.” There are at least four bills that will be put up for votes:

• H.R. 624: Cyber Intelligence Sharing and Protection Act (HPSCI).
• H.R. 1163: Federal Information Security Amendments Act of 2013 (OGR).
• H.R. 756: Cyber-security Enhancement Act of 2013.
• H.R. 967: Advancing America’s Networking and Information Technology Research and Development Act of 2013 (Science).

Combined, these bills would create a new framework for the sharing of information between the federal government and critical infrastructure owners and operators. The Federal Information Security Management (FISMA) Act would be reformed to incorporate a model of “continuous monitoring.” Finally, several federal agencies would be granted authority to continue, resume or create new programs designed to increase the U.S. government capacity for research and development focused on cyber-security.

Last week, the president issued a long-awaited executive order that seeks to protect critical infrastructure – an action he promised soon after Congress didn’t reach agreement on cyber-security legislation last year. This week, the New York Times reported that a link has been established between cyber-attacks against U.S. companies and firms that provide a variety of services, including those that provide services to critical infrastructure owners and operators. This is an alarming development that has been years in the making. To make matters worse, the report cited numerous security experts that expect the Chinese military to become increasingly more sophisticated and adept at launching cyber-attacks.

CompTIA firmly believes that protecting our nation’s infrastructure against cyber-attacks is among the most important issues facing our national and economic security and well-being. These attacks and ongoing threats to our nation’s IT infrastructure only highlight the need to implement sound security measures. That is why CompTIA will continue to advocate for the priorities of the IT industry within the cyber-security debate.

It is clear that many laws are out of date or not relevant in the fast moving cat-and-mouse game of cyber-security. Therefore, it is important that we modernize our laws to better reflect today’s cyber-threats and the current IT infrastructure.

For example, CompTIA has strongly advocated for a national data breach notification standard in order to avoid the patchwork of state laws that are hamstringing the ability of small- and medium-sized businesses to expand. Currently, there are more than 45 varying state data breach notification laws, creating a complex patchwork of rules and regulations. This poses significant and duplicative legal, regulatory and compliance costs on the sector that can least afford to shoulder these expenses. The burdens and cost associated with compliance of multiple state laws – especially in this mobile economy – seems unfair and outdated. A national standard will help to protect consumers while allowing industry to grow.

Additionally, better coordination between the private and public sector must take place in a manner that incentivizes the various private sector stakeholders to share information and adopt more robust cyber-security measures and controls.

Congress must also address our cyber-workforce needs of today and tomorrow. Without a steady stream of cyber-warriors, we stand no chance at competing with our cyber-adversaries – let alone defeating them. More must be done to motivate the best and the brightest to enter the cyber-security workforce with the necessary skills to be successful. Congress can help by providing scholarships, training and certification to those who will enter the federal workforce and by working with the private sector on developing a strong pipeline of talent.

Finally, we have to develop a better pipeline for small- to medium-sized (SMB) IT companies that can develop new and innovative cyber-security products and services. Dedicating a larger pool of research and development funding aimed at the SMB IT sector can spawn many new and innovative companies that, in turn, develop products and services.

We urge Congress to tackle, on a bipartisan basis, the ongoing threat of cyber-security with the adoption of comprehensive cyber-security reform. There is still a great deal of work to be done and we stand ready to continue to work with Congress on these issues of national consequence.

This morning we kicked off day two of the TechVoice D.C. Fly-In with a Tech Summit that included exceptional panel members from the private sector and federal government diving into IT workforce, Internet governance and other important issues for the tech entrepreneur.

Ernest McDuffe, lead of the National Initiative for Cybersecurity Education, started the morning with discussion of an initiative called NICE, which defines a framework to improve online behavior skills to enable a safer cyberspace. There was a lot of discussion about who the “cyber warrior” is, who is in charge of what and where funds would come from to support cyber-security. Erik Jones, deputy general counsel at the U. S. Senate Committee on Commerce, Science and Transportation, encouraged our member companies and information technology small- and medium-sized businesses to partner with the federal government and collaborate on effective cyber-security policies. He said that while the process has begun with a recent executive order on cyber-security signed by President Obama, we still have a long way to go.

The panelists also discussed improving the cyber-security workforce, agreeing we need a well-trained one. One of the panelists said that to fix the shortage of STEM-skilled workers, we need to start encouraging students in middle school. He said this can be done with scholarships, competitions and parental support. He stated that there is still a hangover from the tech bubble burst years back, with a significant drop in students enrolled in STEM coursework, and that today we’re still short.

Another panelist said that while there is a shortage of skills, there is not a shortage of jobs but rather a shortage of experience. Not only is there not a developmental pipeline for STEM, but many organizations don’t want to hire junior people.

On a second panel discussing “IT Innovation on the First Responder Platform,” we heard from Jeff Cohen, chief counsel for law and policy with APCO International, who painted a picture of the rudimentary public safety communications landscape of the nation’s first responders. He said that public safety today relies on land mobile radio signals that do not provide first responders with the much needed data that smart phones provide, like maps, real time video, medical records, traffic alerts, etc. Not only are land mobile radio signals antiquated, but they’re expensive – a two-way radio can cost $3,000 to $4,000, depending on the features.

Cohen discussed the importance of having a mandate dedicated to providing a national broadband network to deliver more up-to-date communications tools. He also touched on the policy initiatives in place to promote a national safety broadband network, including FirstNet, a congressional mandate for a broadband wireless network. He encouraged private companies to partner with their government to make this happen.

We also heard from Ashok Agrawala, professor of computer science at the University of Maryland and director of the Maryland Information and Network Dynamics (MIND) Lab, who showed the audience where public safety technology is going with a demonstration of M-Urgency, a first responder app created for students on the College Park Campus.

Another panel member talked about opportunities for information technology small- and medium-sized businesses to get involved in public safety communications and the need for solid technology tools so that first responders can do their critical jobs. He also encouraged anyone interested to get involved at the state level since every state has its own safety needs.

Our last panel of the day was about “Startup 3.0” legislation allowing small- and medium-sized businesses to grow and prosper. The timing of the panel couldn’t have been more perfect, considering that the House of Representatives version of Startup 3.0 will be introduced this week and the Senate version was introduced yesterday. We learned about two new visa provisions of the bill. The first is intended to benefit STEM students pursuing advanced degrees with the addition of 50,000 new visas and the second is intended to benefit entrepreneurs who create businesses and new jobs with the addition of 75,000 new visas. These provisions would create 26 million new jobs in the U.S.

We also learned that Startup 3.0 offers a new R&D credit that is more accessible to startups. The credit would be offered against employment taxes instead of income taxes. Panelists urged co-sponsor support, so please write and/or call your local representative or go to TechVoice.org and click on the Action Alert button to seamlessly contact your state’s representative. For details on the names and titles of the speakers we heard from this morning, check out our TechVoice website.

It was a great few days in D.C.! Please check out twitter chatter on today’s panel at @TechVoice.

CompTIA’s 10th Annual Information Security Trends study reviews how the use of mobile devices and technologies such as cloud computing create opportunities as well as vulnerabilities, reports Federal Computer Week. Fifty-seven percent of respondents indicated their company has made at least moderate IT security changes to combat those threats over the past two years, while 10 percent indicated they’ve made drastic changes.

Federal officials have hinted that the cybersecurity budget will be spared amid spending cuts, says Politico. Rep. Mac Thornberry, a member of the House Armed Services Committee, indicated the government will continue to rely on the private sector to provide cybersecurity capabilities.

House Republicans are slated to vote next week on new legislation that would expand visas for foreign science and technology students and make it easier for immigrants with green cards to bring their families to the U.S., according to the Associated Press. The original legislation, dubbed the STEM Jobs Act, was rejected in a House vote in September by a Democrat majority that argued that the increase in visas was offset by the elimination of another visa program for less-educated foreigners.

Many small business owners have put off plans to hire and expand amid uncertainty around what they will face when several Bush-era tax cuts expire at year’s end, said USA Today. Although tax hikes appear to be a likely outcome, there are several legislative scenarios that could alter, minimize or even delay the tax hikes set to kick in this January.

After warning that U.S. financial institutions will continue to be under constant cyber attack, Homeland Security Secretary Janet Napolitano said that President Barack Obama has made cybersecurity a top priority, said The Hill. Napolitano noted that the Obama administration has increased the federal government’s cyber workforce by 600 percent since 2005 and is looking to hire more skilled workers to protect our nation’s private businesses.

Both presidential candidates agree that the U.S. needs to do more to encourage foreign-born entrepreneurs to stay and build businesses; this according to the Boston Globe. Current immigration laws have made it difficult for these entrepreneurs to stay in the U.S. and get the start-up resources they need, even though they have received advanced STEM degrees at U.S. schools.

• Passing of new cybersecurity legislation may have to wait until next year.
• Tech and telecom companies stepped up networking efforts at both national conventions.
• Obama plans to appoint a secretary of business.

The passing of new cybersecurity legislation to protect our nation’s critical infrastructure may have to wait until next year, said The Hill. Even though Defense Secretary Leon Panetta urged Congress to act swiftly and Sen. Harry Reid (D-Nev.) said he is planning to bring the issue to the floor again in November, there are several roadblocks, including a packed docket of pending legislation that needs to be completed.

Tech and telecom companies stepped up networking efforts at both national conventions this year by donating funds and their devices, said Politico. Led by a pack of companies including AT&T, Microsoft and Facebook, the tech industry played an increasingly visible role, according to numbers released by the Federal Election Commission.

President Barack Obama said recently that, if re-elected, he plans to appoint a secretary of business to oversee several consolidated government agencies; this according to the Wall Street Journal. This new position would oversee small business loans and assist with exports, among other business-related responsibilities previously delegated to multiple departments, in an effort to boost government productivity.