The Obama administration is sitting on a report about the security of federal government computer networks because it is embarrassing, a senior Republican senator said Thursday.
The annual report from the White House Office of Management and Budget was due March 1, Sen. Tom Coburn of Oklahoma told a joint hearing of the homeland security and commerce committees on U.S. cybersecurity.
“There’s no reason for [the delay], other than [the report] shows significant criticism” of the government’s performance in keeping federal computer networks secure, he said.
Mr. Coburn noted that past reports have faulted the government for failing to comply with the law and has revealed flaws and gaps in the security of the computer networks.
U.S. intelligence and defense officials say criminals and hackers, as well as foreign spy agencies and military units, probe federal computer networks millions of times a year.
The Federal Information Security Management Act sets standards for cybersecurity across the government and mandates the March 1 annual report from the Office of Management and Budget about levels of compliance with the law. The office did not respond to requests for comment about the delay.
Homeland Security Secretary Janet A. Napolitano told the joint hearing of the success her department has had in responding to reports of cyberattacks.
Since its establishment in 2009, Homeland Security’s National Cybersecurity and Communications Integration Center has responded to nearly half a million incident reports and released more than 26,000 “actionable cybersecurity alerts” to state and local governments and private sector companies, she said.
Noting that Homeland Security now employs more federal law enforcement agents than any other government department or agency, she added that the department’s cybercops had “prevented $10 billion in potential losses through cybercrime investigations and arrested more than 5,000” suspected cyber criminals.
Patrick D. Gallagher, undersecretary of commerce, explained how a special unit of the Commerce Department, the National Institute for Science and Technology, is helping draw up a cybersecurity framework that private companies running vital U.S. industries such as banks, utilities and telecommunications can use to make sure their computer systems are secure.
He said President Obama issued an executive order giving the institute that responsibility last month, after Congress failed for the fifth year in a row to pass cybersecurity legislation.
Mr. Gallagher said private companies work well with NIST, which operates in an advisory role and does not impose burdensome bureaucratic regulations.
“We’re technical, and we’re not in charge of anything,” he said, adding that his approach to the issue was to get “industry and the critical infrastructure community [to] put the framework together themselves.”
A cybersecurity bill failed last year because Congress was deadlocked over the issue of liability protection for the private sector.
Sen. Thomas R. Carper, chairman of the Homeland Security and Government Affairs Committee, said legislation is still needed to “fill in the gaps” left by the president’s order.
“Now is the time,” the Delaware Democrat said.