Opening Statement By Chairman David Wu
Good afternoon. Today the Subcommittee will consider a committee print, the Cybersecurity Coordination and Awareness Act. This committee print implements recommendations made in the Cyberspace Policy Review and the recent Subcommittee hearing, and also amends the Cybersecurity Research and Development Act of 2002.
Twenty-two years ago, this Committee paved the way for federal cybersecurity efforts with the Computer Security Act of 1987, which charged NIST with developing technical standards to protect non-classified information on Federal computer systems and was the first of 13 major laws related to cybersecurity.
The Cyberspace Policy Review recommended coordination of U.S. government representation in international cybersecurity technical standards development. Currently, responsibilities are parsed among different agencies without any consistent policy. The convergence of telecommunication, internet, and video devices requires a corresponding convergence in cybersecurity technical standards development. A coordinated policy will ensure that these representatives operate with the overarching need of the U.S. infrastructure in mind. Two weeks ago, witnesses testified in front of this Subcommittee that NIST is suited for the role of coordinator due to its extensive technical expertise, established relationships with international bodies, and existence as a non-regulatory body.
The Cyberspace Policy Review also called for a cybersecurity awareness and education campaign. NIST could be a valuable resource to all internet users in providing them with the same guidance as it gives federal agencies. The committee print tasks NIST with developing a plan to disseminate cybersecurity technical standards and best practices to the general public. However, while NIST is a great resource for technical standards and best practices, witnesses have stated that NIST guidance is often too technical for the average internet user. Therefore, the print also tasks NIST with making its standards and best practices usable by those with less technical expertise. The dissemination of more user-friendly standards will help raise the base level of cybersecurity knowledge among individuals, business, education, and government.
The Cyberspace Policy Review also states that cybersecurity cannot be improved without first improving identity management. NIST currently performs work on identity management systems such as biometrics, but this print will task NIST with improving the interoperability of these systems to encourage more widespread use. By focusing on the usability and privacy aspects of identity management, this committee print will ensure that biometric and other systems will be accepted by the public because they will have confidence in the security of their personal information.
The committee print also amends the Cybersecurity R&D Act of 2002 to reinforce the important R&D work currently done by NIST and specifically reflects witness testimony on the importance of NIST’s work with automated security specifications, such as those in the S-CAP program. The amendment will also update language in the Act to reflect more modern technological terms.