Cyber security chief says govt should consider presidential powers to respond to cyber attacks

Govt eyes need for powers in case of cyber attack

WASHINGTON — The government may have to take “extraordinary measures” in responding to a cyber attack that affects critical public or private computer networks, a senior Homeland Security official said.

National Cyber Security Center director Phil Reitinger said Congress should work with the administration to determine if new presidential powers are needed to govern how key industries such as power plants, the electrical grid and vital financial systems respond during a cyber crisis.

A key Senate committee is proposing that the president have more specific authority over how major industries react. Sen. Joe Lieberman, I-Conn., chairman of the Senate Homeland Security and Governmental Affairs Committee, said those powers could include the ability to require companies to install a computer patch or block particular Internet traffic.

U.S. officials are struggling to beef up the nation’s cyber security, as federal computer networks are being scanned and attacked millions of times a day by hackers, cyber terrorists and criminals seeking to steal sensitive data or disrupt and destroy vital operations.

While no one argues with the severity of the threat, lawmakers are divided over how big a role the government should play, and which federal agency should be in charge. In the middle are industry leaders who argue that private companies can often do a better job than the federal government in protecting their systems and ensuring their staffs are qualified.

In testimony prepared for a hearing in front of the Homeland panel Tuesday, Reitinger said the president already has certain emergency powers, so any adjustments should not overlap with existing law. The testimony was obtained by The Associated Press.

The legislation, he said, “recognizes that Americans expect the federal government to anticipate, prevent, and respond to cyber threats.” And, he said, the provisions relating to presidential powers “acknowledge that the government may need to take extraordinary measures to fulfill these responsibilities.”

Sen. Susan Collins, R-Maine, said the presidential authority was carefully written in the Homeland bill so that it is limited in duration and scope and that it does not permit the government to take over private networks. Under the bill, emergency presidential powers would expire after 30 days unless extended by the president.

The Homeland proposal is one of several cyber security bills. Senate Majority Leader Harry Reid has told senators that the various committees must forge a compromise.

Under questioning during the sometimes contentious hearing, Reitinger said the administration doesn’t have a formal position on the Homeland bill, but the preference is to work with existing authorities and ensure that any changes are not disruptive.

Reitinger said that while DHS is rapidly expanding its efforts to secure government networks, the ability of hackers and other cyber criminals to attack U.S. systems is still greater than America’s ability to defend them.

Business groups have mixed feelings on the bill. Steve Naumann, testifying on behalf of the Electric Power Supply Association, described a limited government role in helping industry secure its networks, such as the ability to gather intelligence or analyze information and incidents.

Cyber security expert Jim Lewis, a senior fellow at the Center for Strategic and International Studies, said federal agencies must be able to require companies to meet security standards.

“If you tell a company they have to put a lock on the door, and the company comes back and says, ‘I’ve used duct tape and that’s just as good,’ you shouldn’t have to accept that,” said Lewis. He said companies should have some flexibility but that the government must also be able to determine if precautions are adequate.

Industry groups have balked at giving the government that power.

“Good intentions aside, America’s technology companies are concerned about the unintended consequences that would result from the legislation’s regulatory approach,” said Phil Bond, president of TechAmerica, who said the changes could stifle innovation.

A rival Commerce Committee bill introduced in March by Sens. Jay Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, gives businesses more flexibility. It allows the National Institute of Standards and Technology to set performance standards that industries must meet but gives the companies greater say in how they do it.

While the Homeland panel’s bill puts power in DHS, creating a cyber center with authority over other federal agencies, the Commerce bill gives greater cyber authority to the White House.

The White House created a cyber coordinator post last year, now filled by Howard Schmidt. A similar position is in both bills, but senators want it subject to congressional confirmation.