Langevin Offers Amendment to FY2015 Commerce-Justice-Science Appropriations Bill

May 28, 2014 Issues: Cybersecurity

Congressman Jim Langevin (D-RI) offered the following statement on an amendment he offered to the FY2015 CJS Appropriations bill to measure adoption of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. The amendment was adopted by voice vote.

Congressman Jim Langevin
Remarks on Amendment to H.R. 4660, FY2015 CJS Appropriations
May 28, 2014

Mr. Chairman, the amendment I offer today addresses a topic that is of the utmost importance to our national defense – cybersecurity. Before I go into the particulars, I would like to acknowledge the important work of my colleague, Chairman Wolf, on this vital issue. Although he is retiring at the end of the year, he has left a legacy of support for cybersecurity funding, which he and Ranking Member Fattah have continued in this bill.

Bad actors in cyberspace are growing in number and in sophistication, and as policymakers we have an imperative to act in the public interest. When Congress came up short in its efforts to enact comprehensive cybersecurity legislation in the 112th Congress, the Administration rightly acted as best it could to advance the ball on cybersecurity. It charged the National Institute for Standards and Technology with the creation of a framework for cybersecurity, and it ensured an open process, engaging all parties from across the spectrum of industry, government and academia.

Mr. Chairman, my simple amendment endorses the use of routine Department of Commerce surveys in order to measure the extent to which businesses have adopted the NIST voluntary cybersecurity framework. In fact, my amendment will ensure that the Bureau of Industry and Security’s Office of Technology Evaluation uses its Defense Production Act authority to conduct such a survey about use of the NIST framework.

While I applaud the President’s focus on cybersecurity, and the NIST process has been widely regarded as a laudable example of public-private partnership, much more needs to be done – and the Administration cannot go it alone. It will take Congressional action to address issues such as incentives, liability protections, information sharing, and breach notification.

However, while we continue to work towards passage of bipartisan cybersecurity legislation, it is important that we measure how well the NIST framework is faring. A routine Commerce Department survey, using existing authority under the Defense Production Act, will enable an assessment of the NIST framework’s adoption rate—a key component of its effectiveness. Information sharing is also an important part of the framework, so the survey will also allow BIS to ask companies what, if any, information from the government they have used and how they have used it. This brief survey should be designed in a way to minimize the burden on companies: determining if they are using the framework or information shared from the government does not require an exhaustive survey of their cybersecurity practices.

The NIST framework is a model for cybersecurity. It doesn’t demand adherence to a particular set of standards, nor does it proscribe certain activities. Instead, it describes processes that entities can adopt to help them decide which standards and risk levels are appropriate for their own situations. I believe that the NIST framework is a useful tool for companies to help them navigate new threats in the Information Age. I know that some of my colleagues believe otherwise. But without hard data, these sentiments will be just that: beliefs. Measuring adoption of the framework is a concrete step we can take to help develop our own best practices for what works in the realm of cyber policy.

Mr. Chairman, we’ve all heard about major cyber attacks in the news including the Target breach and the Heartbleed security vulnerability. Just this month we’ve seen the Department of Justice indict Chinese soldiers for hacks of American companies. We’ve seen the breach of up to 145 million emails, birth dates, and passwords from a major internet commerce site. We’ve even seen the Department of Homeland Security warn about a successful attack on a public utility that compromised the utility’s control system network. My amendment will not solve all of these problems at once. But it will help policymakers here and in the Administration to take effective and informed steps to protect our networks from cyberattacks.

With that, let me again congratulate Chairman Wolf and thank him for his distinguished service to this body. I urge my colleagues to support this amendment, and I yield the floor.