Senate Democrats Offer Cybersecurity AgendaBill Seen as Commitment to Enact Comprehensive Measure in '13
Senate Democrats have issued their cybersecurity legislative agenda for the new Congress that, on the surface, seems less ambitious than the Cybersecurity Act of 2012, which failed to muster enough votes last year to defeat a Republican-led filibuster.
The bill, Cybersecurity and American Cyber Competitiveness Act of 2013, is so-called "sense of Congress" legislation that outlines legislative intent, but does not provide specific solutions.
Missing from the legislation is any reference to the government regulating the mostly private owners of the nation's critical IT infrastructure or developing processes for industry and government to collaborate on creating best IT security practices, both opposed by Republicans in the last Congress.
But those familiar with the process say "sense of Congress" bills serve as a placeholder for more comprehensive legislation that will be introduced later in the session. "This is simply an attempt to indicate that there is a majority interested in seeing better cybersecurity," says Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University.
As cybersecurity gets debated, more detailed provisions will be offered, and they could address issues such as the role of government in establishing best security practices for infrastructure owners,
Senate Bill 21, introduced Jan. 22, calls for enhancing the security and resiliency of public and private communications and information networks against cyber-attack by nation-states, terrorists and cyber-criminals. S. 21 also promotes establishing mechanisms for sharing cyber-threat and vulnerability information between the government and the private sector.
"It is noteworthy that the sense focuses on the relationship between the private sector and the government, highlighting the importance of 'communication' and 'collaboration,'" says Allan Friedman of the Brookings Institute. "It's meant to be an overture to industry. Still, they lay out several clear goals for the communications sector and critical infrastructure that imply a determination to do something, whatever that thing may be. This is an attempt to bring the naysayers of last session's bill to the table."
Waiting for the White House
Senior Fellow James Lewis of the Center for Strategic and International Studies says the bill "looks like a placeholder while they wait to see what comes out of the White House."
When the Cybersecurity Act failed to pass the Senate last summer, [see Senate, Again, Fails to Halt Filibuster] the Obama administration began working on anexecutive order that reportedly would create a procedure for industry and government to develop best cybersecurity standards that critical infrastructure owners would voluntarily adopt. The executive order would address other actions the government could take to secure critical IT that doesn't require congressional approval [see Executive Order Could Ease Cybersecurity Bill Passage].
One of the bill's chief sponsors, Tom Carper of Delaware, says he was disappointed when Congress failed to enact the Cybersecurity Act last year.
"It was a significant improvement over our current cybersecurity laws, which numerous experts have said do not go far enough to protect us," says Carper, who assumed the chairmanship of the Senate Homeland Security and Governmental Affairs Committee in the new Congress [see New Cybersecurity Leaders in Congress]. "Today's legislation ... will help lay the groundwork for a framework that can balance the needs and concerns of both government and the private sector - and keep Americans safe. Our nation cannot afford more delay on this issue."
The legislation also calls for:
- Developing a coherent public-private system to improve the capability of the United States to assess cyber-risk and prevent, detect and robustly respond to cyber-attacks against United States critical infrastructure, such as the electric grid, the financial sector and telecommunications networks.
- Promoting research and development investments in America's information technology sector that create and maintain good, well-paying jobs and help to enhance the economic competitiveness and cybersecurity of the United States.
- Promoting cybersecurity and information technology training to develop the country's next generation of cyber-professionals.
- Preventing and mitigating identity theft and guarding against abuses or breaches of personally identifiable information.
- Enhancing United States diplomatic capacity and public-private international cooperation to respond to emerging cyber-threats, including promoting security and freedom of access for communications and information networks around the world and battling global cyber crime through focused diplomacy.
- Expanding tools and resources for investigating and prosecuting cyber-crimes in a manner that respects privacy rights and civil liberties and promotes innovation.
- Maintaining robust protections of the privacy of U.S. citizens and their online activities and communications.
Besides Carper, the bill's main sponsors are the chairs of other Senate panels with IT security oversight: Jay Rockefeller, D-W.Va., Commerce, Science and Transportation Committee; and Dianne Feinstein, D-Calif., Select Committee on Intelligence. Other sponsors, all Democrats, include Carl Levin of Michigan, Armed Service Committee chairman; Barbara Mikulski of Maryland, Appropriations Committee chairwoman; Sheldon Whitehouse of Rhode Island; and Chris Coons of Delaware."It's a good sign that the Senate and the House of Representatives have now both publicly stated that cybersecurity legislation is important and will continue as a priority in the 113th Congress," says Melissa Hathaway, who helped developed President Obama's and President Bush's cybersecurity policies.