White House to push piece-meal cybersecurity legislation

Among IT experts and government leaders, there is a broad consensus that the U.S. needs better cybersecurity protection. Furthermore, many believe that new legislation is essential for these efforts. 

However, earlier attempts to pass overarching cybersecurity legislation have come up short. As a result, the Obama administration now plans to instead focus its efforts on the passage of a number of smaller piecemeal bills that, while not comprehensive, may help to shore up federal cybersecurity capabilities, Federal Times reported.

Reduced scope
Speaking at an event hosted by the Christian Science Monitor and the Center for National Policy, White House Cybersecurity Coordinator Michael Daniel announced that the Obama administration will try to pass whatever cybersecurity improvements it can, the news source noted. Daniel acknowledged the challenging current legislative environment and the subsequent need for diminished expectations.

"I think it's easier to get smaller pieces through rather than one big cybersecurity bill," said Daniel, Federal Times reported. "Obviously, getting anything passed on Capitol Hill right now is a challenge."

According to the source, one of the administration's goals is the passage of legislation that would improve cybersecurity cooperation between the Department of Homeland Security and private companies. Federal Times pointed out that such efforts could potentially help to stave off cyberattacks such as the recent successful attack against JPMorgan Chase and a number of other major U.S. financial institutions. 

The news source also reported that the administration hopes to pass legislation that would give the DHS the ability to hire more cybersecurity professionals, as well as increase the agency's overall legal authority to combat cyberterrorism.

Previous progress
As the news source noted, the federal government has made some progress in this area, albeit not as much as many cybersecurity experts would like. The Senate Homeland Security and Governmental Affairs Committee approved a few small cybersecurity bills, and the House of Representatives passed a larger cybersecurity bill earlier this year. 

However, despite these efforts, the overall impact on U.S. federal cybersecurity has been minimal. 

Significant danger
This lack of progress is particularly disturbing in light of recent cyberattacks. In addition to the hacking of U.S. critical infrastructure in the form of major financial institutions, the federal government has claimed that Chinese military hackers attacked at least 20 U.S. Transportation Command contractors between June 2013 and May 2014. According to the Senate Armed Services Committee report detailing these attacks, these represent less than half of all the foreign cyberattacks during this period. The successful cyberattacks relied on an advanced persistent threat (APT) strategy.

These incidents and others highlight the need for cybersecurity bills that address the evolving nature of today's cyberthreat landscape. Whether a piecemeal approach to legislation can sufficiently improve U.S. defenses remains to be seen.

Current efforts
While waiting for legislative progress, the Obama administration intends to take executive action to improve U.S cybersecurity. Daniel noted that he hopes to encourage Americans to reduce their reliance on passwords when it comes to sensitive computers and assets. Federal Times reported that Daniel advocated in favor of biometric security measures as a superior alternative.

Daniel's comments were geared toward the average American, but the fact of the matter is that many federal employees also rely on weak passwords and other suboptimal practices to protect their agencies' networks and data. In some cases, this is due to poor training. In others, a lack of satisfactory protocols and tools.

These behaviors emphasize the need for federal agency leaders to partner with third-party cybersecurity consulting firms. These organizations can vastly improve departments' security across the board, and enable them to respond in the event that new cybersecurity legislation goes into effect.