Senators Purge Regulations from Cybersecurity BillObama Calls for Passage of Revised Cybersecurity Act of 2012
A group of senators reintroduced the Cybersecurity Act of 2012 on July 19 without provisions that appeared in an earlier version of the bill to let the federal government establish IT security standards for the mostly privately-owned national critical IT infrastructure.
Shortly after the bill was reintroduced, President Obama called for its passage. "We have the opportunity - and the responsibility - to take action now and stay a step ahead of our adversaries," Obama wrote in an article posted on the website of the Wall Street Journal and distributed to the media. "For the sake of our national and economic security, I urge the Senate to pass the Cybersecurity Act of 2012 and Congress to send me comprehensive legislation so I can sign it into law. It's time to strengthen our defenses against this growing danger."
Purging any form of regulation from the legislation is a concession to Republican lawmakers, who oppose the government regulating infrastructure owners and whose opposition to the legislation prevented it from coming up for a vote in the Senate.
"This is not quite the case of half a loaf is better than none; this is a case where a quarter of a loaf is better than none," says Allan Friedman, research director at the Center for Technology Innovation at the Brookings Institute, a think tank.
The only Republican senator to voice support for the original bill [see Senators Unveil Major Cybersecurity Bill] was co-sponsor Susan Collins of Maine, the ranking member of the Homeland Security and Governmental Affairs Committee, which is chaired by Joseph Lieberman, ID-Conn., the bill's chief sponsor.
Collins characterized the revised bill as an effort to move this overdue legislation forward, representing "the Senate's best chance to pass cyber legislation this year.
A vote on the bill could come as early as next week. "Our bill is a good-faith effort to address the concerns of members of both sides of the aisle by establishing a framework that relies upon the expertise of government and the innovation of the private sector," Collins says.
The reworking of the legislation could win Republican votes, but James Lewis, director of the technology and public policy program at the Center for International and Strategic Studies, a think tank, wonders if passage would enhance cybersecurity: "It makes no real difference if this bill passes or not. There are no new authorities, no real incentives and a convoluted process."
According to a statement issued by the bill's sponsors - who also include Democrats Thomas Carper of Delaware, Dianne Feinstein of California and Jay Rockefeller of West Virginia - the legislation would:
- Establish a multi-agency council National Cybersecurity Council - chaired by the secretary of Homeland Security - to lead cybersecurity efforts, including assessing the risks and vulnerabilities of critical infrastructure systems, which control the flow of money, energy, food, transportation and other vital resources that the economy needs to function. Like the original bill, the revised version calls for a Senate-confirmed director to head a DHS-based National Center for Cybersecurity and Communications to coordinate federal efforts to battle cybersecurity threats facing the government and the nation's critical information infrastructure.
- Allow private industry groups to develop and recommend to the council voluntary cybersecurity practices to mitigate identified cyber risks. The standards would be reviewed and approved, modified or supplemented as necessary by the council to address the risks.
- Allow owners of critical infrastructure to participate in a voluntary cybersecurity program. Owners could join the program by showing either through self-certification or a third-party assessment that they are meeting the voluntary cybersecurity practices. Owners who join the program would be eligible for benefits including liability protections, expedited security clearances and priority assistance on cyber issues.
- Create no new regulators and provides no new authority for an agency to adopt standards that are not otherwise authorized by law. Current industry regulators would continue to oversee their industry sectors.
- Require designated critical infrastructure - those systems which if attacked could cause catastrophic consequences - to report significant cyber incidents.
- Oblige the government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.
- Permit information sharing among the private sector and the federal government to share threats, incidents, best practices and fixes, while preserving the civil liberties and privacy of users.
Addressing Civil Liberties Concerns
Obama said he would veto any legislation that lacks strong privacy and civil liberties protections. Some civil libertarians criticized the earlier bill, as well as a cybersecurity legislation approved this spring by the House of Representatives, as not protecting the personal data of individuals.
Michelle Richardson, legislative counsel with the American Civil Liberties Union, said in a blog posting that the revised bill has addressed what she saw as privacy and civil liberties shortfalls that existed in the original legislation as well as the House-passed Cyber Intelligence Sharing and Protection Act, known as CISPA [see With CISPA's Passage, What Next?].
"What's clear is that the cyber train is leaving the station and we are happy to help break the news that it looks like the Senate is moving to pass something much better than CISPA from a privacy standpoint," Richardson wrote.
Brookings' Friedman says the new Cybersecurity Act seems to move the ball forward in terms of addressing information sharing by providing for federal government oversight, but might not achieve the goal to adequately protect critical infrastructure without regulation to compel businesses to invest in IT security.
Robert Bigman, who retired earlier this year after 15 years as chief information security officer of the Central Intelligence Agency, doesn't see this bill providing much cybersecurity protection. "This proposal reduces the government role to cheerleader and redefines the accepted role of government as a regulator," he says. "Tell me why it is okay to have the government play a regulatory role when it comes to airline safety, food safety, car safety and the environment, but it is reduced to partner status when it comes to cyber safety?"
Lieberman said he understands the bill might not be as strong as the one he originally introduced. "We are going to try carrots instead of sticks as we begin to improve our cyber defenses," he says. "This compromise bill will depend on incentives rather than mandatory regulations to improve America's cybersecurity. If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system."
But that future Congress would need to act without Lieberman, a leading proponent in Congress on cybersecurity matters for over a decade. He will retire from the Senate at year's end.