WASHINGTON — As the White House and congressional lawmakers resume talks on legislation to improve U.S. defenses against cyber-attacks, Homeland Security Secretary Janet Napolitano on Thursday signaled that disagreements remain over a House cybersecurity bill, which she called insufficient.
In 2012, identical legislation passed the House of Representatives but died in Democrat-controlled Senate after President Barack Obama threatened to veto it, saying the bill did not have adequate safeguards for privacy and confidentiality, among other things.
Obama signed an executive order in February designed to make it easier for the government to warn private companies of cyberthreats and to set up a system of voluntary cybersecurity standards — a contentious subject for the industry that helped kill broader Democratic legislation last year.
House intelligence committee Chairman Mike Rogers of Michigan reintroduced his bill last month. He recently said his team and the White House were "not that far apart" in the renewed talks about the bill, which focuses on better sharing of information among companies and the government.
The White House has sought a more comprehensive piece of legislation that would also set minimum security standards for critical companies, such as utilities, and provide better protection for private information that may be turned over to the government.
On Thursday, at a hearing on Obama's recently signed cybersecurity executive order, Democratic Senator Jay Rockefeller of West Virginia asked Napolitano whether a bill focusing on information sharing without addressing security standards would be sufficient.
"No," Napolitano answered, further adding: "In terms of the House bill, even in the information sharing area, I think there were some deficiencies in it."
She reiterated some of the concerns the White House voiced about the House bill last year, including the information monitoring power being given to the National Security Agency, which is part of the Defense Department.
Patrick Gallagher of the National Institute of Standards and Technology was tasked with setting voluntary minimum standards in the executive order. He reiterated the hope for good cooperation with the private sector in drafting such standards.
"Cybersecurity doesn't lend itself to simple solutions," he said at the joint hearing by the Senate's Homeland Security and Commerce committees. "Even with information sharing, when you're going to provide threat information to the private sector, they have to have the capacity to act on that information."
