washingtonpost.com  > Live Discussions > Technology

Congress and Cybersecurity

Government's Pressing Cybersecurity Issues

Rep. Adam Putnam (R-Fla.)
House Subcommittee
Thursday, February 12, 2004; 10:30 AM

Recent online worm and virus attacks as well as the specter of Internet terrorism have turned Capitol Hill's attention to the threats and challenges that stand between the United States and an Internet that is safe for everyone to use.

Rep. Adam Putnam (R-Fla.), head of a key House subcommittee on information technology, and washingtonpost.com reporter Brian Krebs were online on Thursday to discuss today's pressing cybersecurity issues.

Rep. Adam Putnam (R-Fla.) (Rep. Putnam's office)

An edited transcript is below.

Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.


Brian Krebs: Good morning, Congressman, and thank you for joining us today.

Last year you came close to introducing a bill that would require public companies to verify that they have met certain cybersecurity standards. You later decided to delay that legislation to give the tech industry time to come up with an alternative. Why did you decide to delay your bill? What sort of proposal would businesses have to come up with in order for you to not introduce your own bill?

Rep. Adam Putnam: Upon soliciting the feedback from the private sector and receiving A LOT of feedback, I came to the conclusion that I had raised the point and the awareness sufficiently in the boardrooms so that the private sector would take IT Security seriously. If they can come up with a plan that establishes sound practices, adhered to by the industry, I would support such a meaningful security plan even if it did not require direct federal law. There were also concerns about writing technology standards into the law that would be obsolete soon, and great concerns over the SEC role in technology -- one they are not equipped to handle.


Jacksonville, Fla.: Can Congress do anything other than wring its hands about cybersecurity? With 85 percent of the nation's critical infrastructure in the hands of thinly regulated private companies it seems like you don't have much power.

Rep. Adam Putnam: You are correct about the 85 percent being in the private sector... It is a very important partner in a national cybersecurity strategy. My hearings have focused on ways Congress can move from the hand-wringing stage to action. It is delicate, though, as we don't want to stifle innovation or codify a standard that is irrelevant in 18 months. The federal government spends $60 billion a year on IT and we don't know what we own, the systems don't coordinate, agencies don't prioritize, etc. Government can learn a lot from the private sector on security too. Healthcare and financial services are far ahead of the government in protecting systems and privacy.


Brian Krebs: How is the work you're doing on cybersecurity -- particularly in relation to the operations of the Homeland Security Department -- sitting with the other committees that claim jurisdiction on this issue? What sort of dialogue are you having with those committees and do you think they support what you're trying to do?

Rep. Adam Putnam: Clearly the nature of my subcommittee....and the full committee for that matter is that there are lots of overlaps of jurisdiction with other committees. As with most organizations this size, we try to spend a lot of time with the staff and members of other committees to smooth feathers and make sure we are all working in the same direction. Most of the time things go very well. We have a lot of contact with the appropriators, Financial Services Committee, HA Committee and others. On cyber issues, there is a great deal of overlap with the HA Committee and we work very hard together to avoid duplication of effort.


Portland, Maine: Hello Congressman, shouldn't the government be a little tougher on the companies responsible for stopping electronic attacks? I'm thinking specifically of Microsoft and some of these other companies that build the broken software that lets attacks happen. Also, shouldn't the government mandate that companies take concrete steps to at least protect their own networks?

Rep. Adam Putnam: I have a working group right now that is addressing a portion of your concerns... How do we find a market-based approach to improving awareness and activity on security for home users, soft/hardware manufacturers and government? In a sense you are asking the question "how do you legislate higher quality?" and that's tough. The government has common criteria standards for sensitive defense and intelligence purchases, and we have explored the idea of broadening the use of the common criteria. As you might guess there are mixed opinions on that as well.


Medford, N.J.: Congressman Putnam, I would be very interested if you could give us a little background about yourself. I understand that you are the youngest member of the House of Representatives. Does that bring with it (at least in this traditionalist culture of the Hill) a certain extra drawback to already being a fairly junior member in the rankings? You DO have a plum subcommittee chairmanship but do you ever find that the topic doesn't get the attention it deserves from your colleagues? What about the administration?

Rep. Adam Putnam: I am still the youngest member, though not the youngest ever. It is a real honor to be able to serve.

As the youngest I am asked a lot if I get the same level of respect as my older colleagues, and the answer is yes. Everyone arrives in D.C. with the same level of respect for having won, and you move up or down on the respect scale by your efforts. The subcommittee is a plum, thanks to Chairman [Tom] Davis of Virginia. He put a lot of faith in me to take over his old subcommittee. It is an issue I have learned a lot about and enjoy working on... as you alluded to, it is also one that does not get as much attention on the Hill as others.


Brian Krebs: The "MyDoom" worm was the fastest-spreading ever, mainly because too many consumers opened the e-mail attachment that contained the worm. What more do you think needs to be done -- if anything -- to educate Internet users to practice safe computing?

Rep. Adam Putnam: The industry and the government have an interest in promoting education of home users. They are a huge piece of the puzzle. Manufacturers also have begun adjusting the default settings to force the consumer to affirmatively activate a component rather than the opposite. Always-on connections are also factors inhibiting security as the machines are more vulnerable to worms, viruses, etc. There is a role for educators with young users on IP protections, security and ethics also.


Bellevue, Nebraska: There seem to be many organizations within the federal government that have differing cybersecurity efforts. Why isn't there one agency that manages, advises and captures a realistic and evolving vision of cyber security?

Rep. Adam Putnam: OMB [The White House Office of Management and Budget] is the oversight agency for basic IT spending by the various agencies in the federal government. They have improved their oversight greatly under the President's Management Agenda and have backed it up with funding and a scorecard the tracks progress in a public way. The more cybersecurity-related issues are being folded into the Department of Homeland Security in the National Cyber Security Division. It, along with the whole department, is quite new. There is more work to be done.


New York, N.Y.: Why should anyone believe that you have a real interest in computer security after Republican staffers hacked Democrats' computers and stole their private files?

Rep. Adam Putnam: I guess you will have to ask the senators. Over here in the people's chamber we are working hard to improve security for all Americans. Even Democratic Judiciary staffers and senators who are blocking great Americans from serving on the federal bench...


Brian Krebs: Do you think consumers and the nation as a whole are better off today than they were a year ago when the administration first released its cyber plan?

Rep. Adam Putnam: Clearly awareness is greatly increased among the government, home users (some who've learned the hard way), manufacturers and the critical infrastructure and corporate America (who will learn a lot more through Sarbanes-Oxley implementation). We still have far to go...


Storm Lake, Iowa: Republican staff members recently tapped into the computers of Democratic staff members in the Senate, stealing confidential strategy memoranda about judicial nominees. Besides the current investigation by the sergeant-at-arms, Rep. Putnam, what is being done about cybersecurity in your own backyard to prevent this from happening again?

Rep. Adam Putnam: I would refer you to my previous response on the Senate investigation. We work and play well with others in the House.


Brian Krebs: A follow-up question. Is there any interest in having companies set cybersecurity standards and then put industry-led entities in charge of overseeing compliance?

Rep. Adam Putnam: I do have an interest in seeing a set of best practices and guiding principles developed that could be used by businesses of all shapes and size. If the oversight was by a credible entity -- an Underwriters Lab if you will -- then sure, let the private sector handle it. Obviously, the government will always have a role, but we likely would not need a new agency established to do this.


Brian Krebs: Last month, the Department of Homeland Security launched its National Cyber Alert System to provide the public with information about the latest Internet threats and things people can do to combat those threats. But critics of that program -- including Sen. Charles Schumer (D-N.Y.) -- say the program doesn't go far enough, will only serve to duplicate the fine work already done by dozens of antivirus companies, and is vulnerable to attackers "spoofing" the alerts to get consumers to download malicious files under the guise that they are actually safe programs from the government. Do you share any of these concerns?

Rep. Adam Putnam: There have been over 250,000 visits to that new Web site in the first week! Clearly, public interest and awareness are high and that is a good thing. There are some legitimate concerns to work through but in general we are heading in the right direction.

Thanks for having me online. This is a real pleasure. Feel free to log onto my Web site at www.adamputnam.house.gov .

Drink Florida Orange Juice everyday!


Brian Krebs: Unfortunately, Rep. Putnam has been called away to a hearing. Thank you all for your keen questions and interest.


© 2004 Washingtonpost.Newsweek Interactive
Viewpoint: Paid Programming

Sponsored Discussion Archive
This forum offers sponsors a platform to discuss issues, new products, company information and other topics.

Read the Transcripts
Viewpoint: Paid Programming