[Congressional Record (Bound Edition), Volume 160 (2014), Part 13]
[Extensions of Remarks]
[Pages 18872-18873]
[From the U.S. Government Publishing Office, www.gpo.gov]




                 CYBERSECURITY ENHANCEMENT ACT OF 2014

                                 ______
                                 

                       HON. EDDIE BERNICE JOHNSON

                                of texas

                    in the house of representatives

                      Thursday, December 11, 2014

  Ms. EDDIE BERNICE JOHNSON of Texas. Mr. Speaker, I rise in support of 
S. 1353, the Cybersecurity Enhancement Act of 2014.
  I want to commend several Members on both sides of the aisle and both 
chambers who have worked on this bill for many years. I want to thank 
Representatives Lipinski and McCaul and Senators Rockefeller and Thune 
for their longstanding, bipartisan leadership on this critical topic of 
cybersecurity research and development.
  This bipartisan bill is overall a very good bill that contributes in 
essential ways to any comprehensive effort to keep our nation, our 
businesses, and our citizens safe from malicious cyber attacks.
  S. 1353 incorporates a number of pieces from H.R. 756, the 
Cybersecurity Enhancement Act of 2013 that moved on a bipartisan basis 
through the Science, Space, and Technology Committee, and then was 
passed overwhelmingly on the House floor last April.
  While S. 1353 is a good bill and I will be supporting it, I want to 
talk about what is not in this bill but was in H.R. 756. I hope that as 
we continue to discuss actions our government can take to better secure 
our cyberspace, we keep these topics on the table.
  The first of these topics is human factors. The fact is that people, 
not software or hardware, remain the weakest link in our cybersecurity. 
Whether it's weak passwords, or falling victim to phishing, or using 
corrupted thumb drives, people unwittingly compromise their own 
security and that of large networks and companies every day. To truly 
secure our cyberspace, it is vital that we understand how and why 
people make the decisions they do, and how we might develop better 
policies and technologies to reduce risky behaviors. Unfortunately, a 
section contained in H.R. 756 to direct just this type of research was 
not incorporated into S. 1353. I hope we continue to make human factors 
a priority going forward.
  The second topic is workforce. The federal government and private 
sector alike is suffering from a lack of adequately trained 
cybersecurity professionals. Unfortunately, women and underrepresented 
minorities are still significantly underrepresented in computer and 
information sciences. We can't expect to fix the shortage of skilled 
cybersecurity professionals with much less than half of our brain 
power. I wish S. 1353 included more language on how our agencies can 
help address this shortage. As I see it, our only option is to continue 
to make this a priority.
  Finally, Mr. Speaker, I want to address a concern that NIST had about 
some of the language in this bill. In one of the opening paragraphs of 
the bill, paragraph (e)(1), NIST is directed to prevent duplication of 
regulatory processes and prevent conflict of regulatory requirements. I 
just want to clarify two things. First, by definition, NIST's processes 
are non-regulatory. Second, NIST cannot be held responsible for 
regulatory actions or processes at other agencies.
  The language is ambiguous on this second point so I just wanted to 
make sure we are clear in our expectations for NIST. To address a 
second concern that NIST raised, I hope that limitation clause in 
paragraph (e)(2) does not prevent regulatory agencies from using 
information gained through the processes in this bill to fix 
duplicative or outdated regulations.
  With that Mr. Speaker, I urge my colleagues to support this bill.

[[Page 18873]]



                          ____________________