Senate moves to bolster cybersecurity oversight

The 2010 Intelligence Authorization Act, which the Senate passed today, includes a provision that would increase oversight for intelligence-related multiagency cybersecurity programs that involve the use of personally identifiable information.

Section 337 of the bill (S. 3611) “sets forth a preliminary framework for executive and congressional oversight to ensure that the government’s national cybersecurity mission is consistent with legal authorities and preserves reasonable expectations of privacy,” according to a report from Senate Select Intelligence Committee that cleared the bill last month. The legislation that the Senate cleared today included one amendment, but it didn’t alter the focus of the bill’s cybersecurity provisions.

The report said the definition of cybersecurity programs in the section “intentionally excludes firewalls, anti-virus programs and other routine programs.” It also excludes individual cyber operations or cyber information-sharing conducted in a non-programmatic fashion, such as the sharing of a piece of information for a particular investigation.

The section “instead focuses on multiagency cybersecurity programs in which large amounts of information are characterized, screened, or inspected for the purpose of protecting government networks,” the report said. “These types of programs pose challenging new legal and privacy questions that make congressional and Executive branch oversight particularly important.”

Specifically, the bill would require the White House to notify Congress about cybersecurity programs and provide lawmakers with information on a program’s legal basis, certifications of the program’s legality, concepts of operations privacy impact statements and plans for independent audit or review of the program.

For existing programs, the notification and documentation would need to be provided with 30 days of the enactment of the bill. The notification and documents for new programs would be required within 30 days of the commencement of the program, assuming the bill became law.

The notification requirements are intended to ensure that Congress knows of significant legal, privacy and operational aspects of each new cybersecurity program, the report submitted by the committee chairwoman, Sen. Dianne Feinstein, said.

The committee report said a certification of a cybersecurity program as described by the bill would have to address the legality of the program as a whole and would have the potential to authorize providers of wire or electronic communication to provide significant assistance to the government, without fear of litigation.

“Given the potential impact of any certification, the committee believes that significant congressional oversight is warranted,” the report said.

In addition, heads of agencies with responsibility for a cybersecurity program would have to work with their inspectors general to prepare a report describing the results of any audit or review under the audit plan and assess whether the cybersecurity program is in compliance with and adequately described by the documents submitted to Congress.

“This subsection is designed to provide an independent check that the agencies are conducting cyber operations in a manner consistent with executive branch guidance and to supply Congress more information about the operation of those programs,” the report stated.

In addition, according to the report, the bill would:

• Require inspectors general to prepare a report on the sharing of cyber threat information inside the government and with those responsible for critical infrastructure one year after the bill would be enacted.
• Allow intelligence community experts to be made available to the Homeland Security Department through a detail program.
• Require the Director of National Intelligence to have a plan for recruiting, retaining and training an adequate cybersecurity workforce and to assess the capabilities of the current workforce.
• Have the DNI work with the attorney general, the head of the National Security Agency, the White House Cybersecurity Coordinator, and any other officials the DNI considers appropriate to submit three annual reports containing guidelines or legislative proposals to improve the cybersecurity capabilities of intelligence and law enforcement agencies.