After introducing cyber bill, Senate hears from NIST, private sector

Senators, government employees and private sector representatives all praised each other for the work each had done on cybersecurity at a Senate hearing Thursday, but stressed the importance of continuing the partnership.

The Senate Commerce, Science and Transportation Committee hearing came a day after committee Chairman Jay Rockefeller, D-W.Va., and ranking member John Thune, R-S.D., introduced the Cybersecurity Act of 2013. The bill codifies the cybersecurity framework the National Institute of Standards and Technology has been putting together since President Barack Obama issued an executive order in February.

“I think this bill strikes the balance to ensure that what develops is industry led and a true partnership between NIST and the private sector,” Thune said. “It also ensures NIST’s involvement in this process is ongoing.”

But the session was notably quiet, poorly attended and briefly interrupted by a surprise vote, much to Rockefeller’s chagrin.


“I’m not overwhelmed by our attendance so far,” he said with a slight smile to the three other present senators. The full committee has 25 members. “Look, we’ve got this brilliant group before us. … They deserve better.”

Rockefeller’s brilliant group — representing NIST and the private sector — discussed the progress achieved by working together.

“However, your legislation is still needed to create a more effective long-term relationship between the public and private sector,” said Arthur Coviello, executive chairman of RSA, the security division of EMC, which provides data storage, information security and cloud computing software.

Coviello insisted the public-private solutions must remain “industry driven,” “voluntary” and “technology-neutral.” Things move too fast, he said, and the private owners and operators of the critical infrastructure will be at the forefront responding to cyberthreats.

Patrick Gallagher — representing NIST as the acting deputy secretary and undersecretary of commerce for standards and technology — agreed. But the cybersecurity framework must also focus on industry buy-in.


“The goal is to make good cybersecurity performance equal to good business practice,” he said.

While laudatory of the new legislation, Coviello endorsed future legislative initiatives: updates to criminal cyberhacking laws; laws for breaching federal data; and updates to the Federal Information Security Management Act, which directs government information security.

The tenor of the hearing was more docile than a similar House hearing last week, when lawmakers pressed officials from NIST and Department of Homeland Security on their concerns that the cybersecurity framework would not remain voluntary.

Rockefeller alluded to the difficulties of getting all parties on board on such a difficult issue.

“We come from three jurisdictions, which is … not … fun,” he said haltingly. “It’s OK, but it’s … just not the best way to do something.”

Latest Podcasts