GOP's alternative cyber bill sets up 'classic Washington duel'
The alternative cybersecurity bill introduced by group of Republican senators encourages voluntary information sharing between the government and private sectors but includes no requirements for securing privately owned critical infrastructure.
The bill’s introduction sets up “classic” political duel between sponsors of rival bills, according to one political observer.
It also would reform the Federal Information Security Management Act, specify penalties for computer crime, and encourage cybersecurity research and education.
Compromise cybersecurity bill still draws GOP fire
McCain: Senate GOP plans its own cybersecurity bill
The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology, or Secure IT, Act, introduced March 1, is the GOP response to bipartisan comprehensive cybersecurity legislation offered in February by Sen. Joseph Lieberman (I-Conn.). Although sponsors of the Cybersecurity Act of 2012 say it takes a light touch on security, the bill has been criticized as an attempt at an end-run around Senate committees claiming cybersecurity jurisdiction and for imposing too many regulations on industry.
Sen. John McCain (R-Ariz.) announced during a hearing on the Lieberman bill that ranking Republican members of Senate committees with cybersecurity oversight responsibility would introduce their own bill.
“Now is not the time for Congress to be adding more government, more regulation and more debt – especially when it is far from clear that any of it will enhance our security,” said Sen. Saxby Chambliss of Georgia, vice chairman of the Senate Select Committee on Intelligence and one of the bill’s co-sponsors. “Our bill offers the right solution to improving our nation’s cybersecurity by encouraging collaboration, investment and innovation.”
Both the Lieberman and McCain bills are notable for things they do not include, what former ambassador David Smith called the “two bugaboos” of cybersecurity legislation: A presidential “kill switch” for the Internet and monitoring of nongovernment networks by the National Security Agency.
“Everybody can relax,” said Smith, a senior fellow the Potomac Institute for Policy Studies. He said that although neither bill is complete in itself, each contains good provisions that could be combined to produce a better bill. The real danger is that competing bills could block passage of needed legislation.
“We’re now set for a classic Washington duel on a vital matter of national security,” he said.
Smith dismissed the idea that owners and operators of critical infrastructure do not care about securing their systems, but he said that economic and competitive pressures can interfere with security. Owners are concerned with securing their own systems, but national security is the government’s responsibility, he said. “Some government regulation levels the playing field.”
Smith said one good point of the Secure IT Act is its definition of critical infrastructure, which is more precise than the one in the Lieberman bill. “Critical infrastructure computer” in the Secure IT Act “means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including”:
- Gas and oil production, storage, and delivery systems.
- Water supply systems.
- Telecommunication networks.
- Electrical power delivery systems.
- Finance and banking systems.
- Emergency services.
- Transportation systems and services.
- Government operations that provide essential services to the public.
The bill allows the collection of threat information by private system operators and its disclosure to a government cybersecurity center or to any other entity that can help in mitigation. Government IT service providers must disclose to government customers threat information, which the agency must give to a federal cybersecurity center.
Cybersecurity centers could disclose information to any agency and to other service providers. Information from private-sector sources would be considered commercial proprietary information and could not be made public outside of government without the provider’s consent. All such information would be shielded from FOIA and other disclosures.
Companies would retain broad control over the information they share and could restrict its future use. There also would be broad exemptions from civil and criminal liability for any cybersecurity activity, except for disclosure of classified information.
The bill calls for prompt sharing of classified information with cleared nongovernment personnel, and for security clearances to be expedited. Information also would be declassified when possible and shared quickly.
The bills would put the Homeland Security Department in charge of FISMA compliance, a role now held by the Office of Management and Budget, although some of that responsibility is being delegated to DHS. The department would require binding risk-based security policies that include minimum operational requirements and a system for providing common situational awareness across government. The National Institute of Standards and Technology would develop standards for compliance, a role that NIST currently holds.
The bill calls for annual security audits by agency inspectors general or a third party, and includes no new funding for any cybersecurity activities.