The House Energy and Commerce Committee and the Subcommittee on the Internet held back-to-back hearings on May 21 focused on “Cyber Threats and Security Solutions” and “An Examination of the Communications Supply Chain” in what was a marathon day of testimony.
The first hearing consisted of two panels. The first panelist was Patrick Gallagher, undersecretary of commerce for standards and technology and director of the National Institute of Standards and Technology (NIST). He testified alone.
Gallagher spoke at length about NIST’s efforts to develop a “voluntary policy framework to reduce cybersecurity risks to the country’s critical infrastructures, pursuant to President Obama’s executive order (EO) issued on February 12, 2013, entitled ‘Improving Critical Infrastructure Cybersecurity.’” NIST is tasked with developing a cybersecurity framework to serve as a voluntary, performance-based set of standards for critical infrastructure providers as promulgated by the EO.
Gallagher stated that once the EO was released, NIST issued a request for information (RFI) to solicit comments and input on how such a voluntary framework should be developed. Gallagher stated the agency received hundreds of responses as a result of the RFI.
During his testimony, Gallagher affirmed NIST’s support for a voluntary framework – as opposed to a regulatory mandate – to protect critical infrastructure systems because the dynamic nature of cyber-threats requires a framework that is nimble and adaptable to new and emerging threats. The agency’s policy position is that a voluntary approach is best suited for the rapidly changing world of cyber-threats and attacks.
The second panel consisted of six industry representatives from the critical infrastructure community. The panelists were largely in support of a voluntary framework for protecting the nation’s critical infrastructure systems against cyber-threats and attacks. There was also unanimous support for the recently passed House legislation entitled “the Computer Intelligence Protection Act of 2013” (CSIPA).
The third and final panel was convened by the House Energy and Commerce Subcommittee on Communications and Technology, chaired by Congressman Greg Walden. This hearing focused on “Cybersecurity: An Examination of the Communications Supply Chain.” This panel included seven speakers representing the IT sector. The purpose of the hearing was to focus on “challenges in securing the communications supply chain, what steps industry is taking, and what role standards organizations, public private partnerships and the government might play.” There was unanimous agreement from the panelists that the federal government should not implement any new regulations aimed at the communications supply chain.
Several of the panelists were concerned that any attempts to regulate how providers, manufacturers and vendors manage the communications supply chain ecosystem could have a domino effect on a global scale. U.S. legislation of the communications supply chain could cause countries such as China and India impose new communications supply chain regulations to force American companies to reveal proprietary and trade secret information under the banner of supply chain security.
Instead, the industry advocated in favor of voluntary global standards framework. The benefits of a voluntary approach would be a more readily adoptable set of international security standards. A global voluntary security framework also incentivizes world economies to participate in the development of international security norms for the protection of the global communications supply chain, which allows for the global consumption of American-made goods and services.