Cyber bill accents threat-info sharing, government IT monitoring
Sen. Joseph Lieberman (I-Conn.) and bipartisan co-sponsors have reintroduced compromise cybersecurity legislation in what they call a “good faith effort to secure enough votes to address the immediate threat of attack from foreign nations, hacktivists, criminals, and terrorists against the nation’s most critical cyber systems.”
The revised Cybersecurity Act of 2012 relies on “carrots rather than sticks,” offering limited liability for organizations that share cyber threat information with government and relying on incentives for voluntary compliance rather than mandatory security standards for critical infrastructure.
The bill also would amend the Federal Information Security Management Act, putting a greater emphasis on continuous monitoring of government IT systems
“While the bill we introduced in February is stronger, this compromise will significantly strengthen the cybersecurity of the nation’s most critical infrastructure and with it our national and economic security,” Lieberman said in a prepared statement.
The original, more comprehensive bill introduced by Lieberman, who chairs the Senate Homeland Security and Governmental Affairs Committee, bogged down because of disagreement over the role of government in securing the nation’s critical infrastructure, which is primarily owned and operated by the private sector.
The bill gives the Homeland Security Department authority to mandate minimum standards for designated critical systems. Many Republicans criticized the regulatory approach and favored giving the National Security Agency a larger role in protecting civilian as well as government cyberspace.
President Barack Obama also weighed in, calling for passage of the bill in an op-ed column
in the July 20 edition of the Wall Street Journal declaring “Congress must pass comprehensive cybersecurity legislation.”
“We need to make it easier for the government to share threat information so critical-infrastructure companies are better prepared,” he wrote. “We need to make it easier for these companies—with reasonable liability protection—to share data and information with government when they're attacked. And we need to make it easier for government, if asked, to help these companies prevent and recover from attacks.”
The president threatened to veto any bill lacking strong privacy and civil liberties protections and said that security standards should be developed in partnership between government and industry.
The compromise bill would make DHS the lead agency in cybersecurity and create a partnership to develop voluntary cybersecurity standards, offering rewards of immunity from liability for companies that meet those standards. Operators of designated critical infrastructure would be required to report significant cyber incidents in their systems.
Although the standards would not be mandatory, Lieberman warned that, “if that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system.”
The bill is co-sponsored by Sens. Susan Collins (R-Maine), ranking member of the Homeland Security and Governmental Affairs Committee; Commerce Committee Chairman Jay Rockefeller (D-W.Va.); Select Intelligence Committee Chairman Dianne Feinstein (D-Ca.); and Federal Financial Management Subcommittee Chairman Tom Carper (D-Del.).