Homeland Security and Defense officials are advocating for a Senate bill that would concentrate computer defense authorities at DHS and the Pentagon's National Security Agency.

In debating how best to thwart a devastating attack on critical U.S. networks, the case has been made that Defense is more technologically and financially equipped for the job than Homeland Security. But many Americans are uncomfortable about the military probing their private communications. DHS Secretary Janet Napolitano on Thursday afternoon said new legislation granting her department responsibility for national cybersecurity, rather than the Pentagon, is the right approach.

She added, however, that the measure would not stop Homeland Security and Defense from abiding by a 2010 memorandum that specifies the Pentagon's codebreakers at NSA and their equipment will respond to civilian and military cyber incidents.

"Both DoD and DHS use the technological expertise of the NSA," Napolitano testified during a Homeland Security and Governmental Affairs Committee hearing on the Senate's comprehensive cybersecurity legislation, S. 2105. At various hearings this week, she, Joint Chiefs of Staff Chairman Martin Dempsey and Defense Secretary Leon Panetta have backed the bill.

"We are not proposing and have never proposed that two NSAs be created," Napolitano said. The reason she gave for endowing DHS with national cybersecurity oversight rather than Defense is that Homeland Security protects U.S. critical infrastructure systems, which are primarily owned by private companies. In addition, even though NSA technologies would be employed, Homeland Security privacy and legal staff would accompany NSA personnel in all operations.

The Commerce Department plans to initiate a government-funded steering board that eventually would be privatized to build a global system for safekeeping online identities.

Under recommendations released on Wednesday, private sector officials would lead the committee in cooperation with, but independent of, the government. After about two years, the body would need to be self-sustaining, Commerce officials said.

The board is part of an Obama administration strategy to spawn an online credentialing network similar to the credit card payment system that would allow consumers to, without registering, access their bank accounts, veterans benefits and any manner of secure online services. No more multiple passwords to forget.

"As a key stakeholder and active participant in the identity ecosystem, the government intends to catalyze the creation of this new governing body by funding, through a competitive grant, a service to provide secretarial (administrative and operational) support for the Identity Ecosystem Steering Group," the Commerce report states. "After a period of initial government support, the steering group will need to establish a self-sustaining structure capable of allowing continued growth and operational independence.

Some critics of the overall approach, called the National Strategy for Trusted Identities in Cyberspace, have argued that a government-run credentialing initiative could morph into a national ID system for tracking citizens. "If the folks doing NSTIC succeed in their goal of creating an identity ecosystem, it's not the national ID that I oppose," said Jim Harper, director of information policy at the Cato Institute. But, "if the government is the lead actor in this ecosystem, well, the government's going to end up calling the shots," he added. "And when we have a bad day, if heaven forbid there's some kind of terrorist attack, watch the government turn on a dime and drop the idea of an open ID system."

On Wednesday, Jeremy Grant, senior executive advisor for identity management at Commerce's National Institute of Standards and Technology said in a statement, "While NSTIC is a government initiative, the Identity Ecosystem it envisions must be led by the private sector. . .The recommendations we published today lay out a specific path to bring together all NSTIC stakeholders--including the private sector, advocacy groups, public-sector agencies and other organizations--to jointly create an online environment, the ecosystem, where individuals and organizations will be able to better trust one another, with minimized disclosure of personal information."

Who knows what really happened to a railway in the Pacific Northwest last month? Nobody who's willing to say, apparently. Nextgov's reporting on a Transportation Security Administration memo that stated unequivocally hackers executed a "targeted attack" on a railroad and disrupted signals leaves a lot of unanswered questions. For starters:

• According to the handout, which summarized a transportation working group's Dec. 20 meeting on the crisis, TSA provided the transit sector with live updates to explain the source of the intrusion. This week, rail industry representatives refuted the accuracy of its contents, saying no targeted attack occurred. Why was an inaccurate TSA memo that asserted a targeted cyberattack on a rail distributed?
• If there wasn't a railway cyber strike, why wasn't a subsequent corrected memo issued?
• What actually caused the signal interference?
• Why didn't the memo carry a "For Official Use Only" stamp or some other confidential label, if the notes were not for public consumption?
• Is it TSA or the rail company that gets to decide the cause of a malfunction?
• Will this mess frighten industry away from asking the government for help in the event of a real cyber emergency?

The irony here is that the memo praised the government-industry collaboration in responding to this breach. But maybe that too was inaccurate. So much for effective outreach.

In a potential quandary for Congress, the Supreme Court ruled that government authorities must obtain a warrant before attaching GPS devices, like car-mounted electronics, to track suspects. But they didn't rule on tracing the location of mobile devices, like smartphones, that officers have never touched.

In United States v. Jones, the justices determined that the U.S. government violates constitutional protections against unreasonable searches when it "physically invades" personal property -- in this case an alleged cocaine dealer's Jeep -- to insert a location-detection tool. The device transmitted signals pinpointing the vehicle's location within one hundred feet to a government computer, according to the court's opinion.

But Monday's ruling does not address the legality of tracking mobile devices without handling them -- a debate that is sure to intensify as location-identification services become ubiquitous in society. The justices underscored that unresolved privacy issues remain:

"If longterm monitoring can be accomplished without committing a technical trespass -- suppose, for example, that the federal government required or persuaded auto manufacturers to include a GPS tracking device in every car -- the court's theory would provide no protection," Justice Samuel Alito wrote. "For example, suppose that the officers in the present case had followed [the] respondent by surreptitiously activating a stolen vehicle detection system that came with the car when it was purchased."

Justice Sonia Sotomayor agreed with Alito:

"With increasing regularity, the government will be capable of duplicating the monitoring undertaken in this case by enlisting factory- or owner-installed vehicle tracking devices or GPS-enabled smartphones," she stated. "GPS monitoring generates a precise, comprehensive record of a person's public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations . . . The government can store such records and efficiently mine them for information years into the future."

In a way, the judicial branch passed the baton to the legislative branch for closure on the executive branch's case. The Justice Department had argued authorities don't need a warrant to track a person's movements on public streets.

"Concern about new intrusions on privacy may spur the enactment of legislation to protect against these intrusions," Alito acknowledged. "This is what ultimately happened with respect to wiretapping . . . In circumstances involving dramatic technological change, the best solution to privacy concerns may be legislative."

Lawmakers who have supported bills banning cellphone-tracking took advantage of the ruling to press for permanent protections.

Sen. Ron Wyden, D-Ore., said in a statement, "It seems that a majority of the Supreme Court would agree that secretly turning someone's cell phone into a tracking device without their knowledge is unconstitutional. However, U.S. law is woefully outdated when it comes to all kinds of location tracking technology. Congress has a responsibility to step in and provide clear rules and boundaries for the use of these technologies, so that law enforcement doesn't have to go all the way to the Supreme Court every time it needs direction."

Last Congress, Wyden introduced the Geolocation Privacy and Surveillance Act, or GPS Act, with Illinois Republican Sen. Mark Kirk and Reps. Bob Goodlatte, R-Va., Jason Chaffetz, R-Utah, and Peter Welch, D-Vt.

Goodlatte said in a statement that the high court's decision "confirms the fact that a warrant is necessary for tracking an individual's movements with a GPS device . . . However, the court stopped short of requiring a warrant for all geolocation information including that obtained from mobile telephones."

The federal government is restructuring cybersecurity leadership, as Congress prepares to debate legislation early this year that could increase the Homeland Security Department's cyber workload. On Friday, DHS officials announced John Streufert, a pioneer in threat-monitoring at the State Department, will be joining Homeland Security as the new director of its national cybersecurity division. The transfer follows the recent appointment of Marc Weatherford, a technical expert, to run DHS' cyber program, as opposed to the usual legal eagle.

John Streufert, State's chief information security officer, propped up an automated "continuous monitoring" system there that has since become the de facto protocol for detecting network vulnerabilities. At DHS, he will be responsible for instituting a program aimed at curbing risks to the nation's critical infrastructure underpinnings, such as dam networks and transportation linkages. Nearly all the competing cybersecurity bills would position Homeland Security as the lead agency for working with industry to safeguard commercial networks.

Streufert will "work to maintain and strengthen our collaborations with public, private and international entities to secure the nation's critical cyber infrastructure," Weatherford, the first-ever DHS deputy undersecretary for cybersecurity, wrote in a blog post announcing the hire.

Weatherford's position was created last year to elevate Homeland Security's cybersecurity profile, according to computer experts who have advised the Obama administration. He previously served as chief security officer at the North American Electric Reliability Corporation, a standards-making group of power grid operators.

Despite Streufert's groundbreaking efforts, federal auditors this summer bashed the execution of his department's continuous monitoring program for focusing only on Windows-based systems and not tracking weaknesses throughout all of State's domestic and global offices.

DHS officials on Friday also said goodbye to retiring Rear Adm. Mike Brown, who had served as DHS director for cybersecurity coordination. He was the department's liaison to the Pentagon's U.S. Cyber Command, during a time when the Homeland Security and Defense departments began to better synchronize U.S. networking resilience, officials said.