Five senior senators are taking one more whack at getting a comprehensive cybersecurity bill passed this session.
Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.), Dianne Feinstein (D-Calif.) and Tom Carper (D-Del.) introduced a revised Cybersecurity Act of 2012 with a compromise on the most controversial sections regarding critical infrastructure. The changes mark a last ditch effort to pass the bill before the August recess and before Congress must turn its attention to the inevitable budget battle ahead.
“This compromise bill creates a public-private partnership to set cybersecurity standards for critical American infrastructure, and offers the reward of some immunity from liability to those who meet those standards,” Lieberman said in a release. “In other words, we are going to try carrots instead of sticks as we begin to improve our cyber defenses. This compromise bill will depend on incentives rather than mandatory regulations to strengthen America’s cybersecurity. If that doesn’t work, a future Congress will undoubtedly come back and adopt a more coercive system.” Lieberman said the bill introduced in February is stronger, but the revised bill still will make a difference.
According to Collins, the compromise represents the best chance to pass a comprehensive bill this year.
“Our bill is a good-faith effort to address the concerns of members of both sides of the aisle by establishing a framework that relies upon the expertise of government and the innovation of the private sector,” she said in the release. “It would set voluntary, outcome-based cybersecurity best practices and encourage adoption by companies through various incentives. It also promotes the sharing of cyber threat information within the private sector and with government in real-time, while safeguarding privacy and civil liberties.”
The new critical infrastructure section of the bill calls for the President to establish a National Cybersecurity Council made up of the departments of Commerce, Defense, Homeland Security, Justice and the intelligence community, and any agencies with sector-specific oversight responsibilities such as the Federal Energy Regulatory Commission (FERC).
The council would have six responsibilities, including:
Assessing the risks and vulnerabilities of critical infrastructure systems,
Developing a way to let critical infrastructure operators know of threats, and
Creating an incentive-based system for owners and operators to adopt cybersecurity measures.
Within six months of the bill becoming law, the council would have to complete an assessment of “the threats, vulnerabilities and consequences and the probability of a catastrophic incident and associated risk across all critical infrastructure sectors to determine which sectors pose the greatest immediate risk, in order to guide the allocation of resources for the implementation of this Act.”
President Barack Obama wrote an opinion piece Thursday in the Wall Street Journal encouraging Congress to pass the comprehensive cyber legislation.
“This is exactly the kind of responsible, collaborative approach to an urgent national-security challenge that Americans expect but that Washington too rarely provides,” the President wrote. “It reflects the insights and ideas of industry and civil libertarians. It is sponsored by a bipartisan group of senators. It is supported by current and former homeland security, intelligence and defense leaders from both Republican and Democratic administrations.
“Today we can see the cyber threat to the networks upon which so much of our modern American lives depend. We have the opportunity — and the responsibility — to take action now and stay a step ahead of our adversaries.”
Senate Majority Leader Harry Reid (D-Nev.) is likely to bring the bill to the floor for debate next week.
Another difference between the revised bill and the original is the role DHS plays. In the earlier version, DHS would’ve had broad oversight authority to set cyber standards for critical infrastructure owners. Sen. John McCain (R-Ariz.) led a broad base of members who were unhappy with both DHS’ role and the mandatory cyber requirements. McCain introduced a competing version of a comprehensive cyber bill that takes a “hands-off” approach to industry regulation. It also called for the National Security Agency to play the lead role in the oversight effort rather than DHS.
Under the new bill, the private sector would recommend to the council voluntary cybersecurity practices to mitigate identified cyber risks. The council would review, approve and modify the standards as necessary to address the risks.
It would also encourage critical infrastructure owners to voluntarily implement the cybersecurity standards, and either self-certify or be assessed by a third-party. The council would have to establish the program within a year of the bill becoming law.
Owners who join the program would become eligible for benefits including liability protections, expedited security clearances and priority assistance on cyber issues.
The bill’s authors say the legislation “creates no new regulators and provides no new authority for an agency to adopt standards that are not otherwise authorized by law. Current industry regulators would continue to oversee their industry sectors.”
DHS would also create a “cyber tip line” where whistleblowers or the public could anonymously report threats and vulnerabilities about critical infrastructure owners.
The legislation includes the update to the Federal Information Security Management Act (FISMA), which would expand DHS’ role to oversee federal civilian networks.
The FISMA modernization includes what some have called a controversial provision that could give DHS the ability to take over contractor systems.
The provision gives the DHS secretary the ability to direct or authorize any lawful action or protective capability to protect agency information from unauthorized access, use, disclosure, disruption, modification or destruction. It also would let the secretary require remediation of or to protect against risks of systems holding federal data, including those used and operated by a contractor or other organization on behalf of an agency.
Along with FISMA updates, the bill would add more requirements to how agencies manage and oversee technology. It would create a National Center for Cybersecurity and Communications in DHS, with a director appointed by the President. Among the responsibilities of the NCCC would be to “manage federal efforts to secure, protect and ensure the resiliency of the federal information infrastructure, national information infrastructure and national security and emergency preparedness communications infrastructure.”
Another provision would require DHS to develop a federal acquisition risk management strategy. Among the things the document would do is address risks in the acquisition process, incorporate all-source intelligence into the analysis of a vendor’s supply chain, and enhance software and hardware test and evaluation capabilities.
A separate section addresses federal cyber research and development and yet another creates a federal cyber scholarship-for-service program.
The Office of Personnel Management also would lead an effort to assess the federal cyber workforce and develop a strategy to address how best to enhance the readiness, capacity, training and recruitment and retention of cybersecurity personnel within six months of the bill becoming law.
OPM also would be required to issue within a year a comprehensive cybersecurity occupational series.
Finally, OPM would have to “establish a cybersecurity awareness and education curriculum that shall be required for all federal employees and contractors engaged in the design, development, or operation of an agency information infrastructure or the federal information infrastructure.”
Support far and wide
Some industry groups are still reviewing the bill to determine their support of the changes.
“These senators have clearly shown a commitment to keeping cybersecurity a priority and we look forward to thoroughly analyzing their new proposal with our members,” said Kevin Richards, TechAmerica’s senior vice president of federal government relations in a statement. “It is imperative that any legislation that passes the Senate strike the right balance by prioritizing our nation’s cybersecurity without hindering the future of America’s information and communications technology companies in a way that would open them up to unnecessary liability or hamper our industry’s ability to innovate and respond to the latest cyber threats.”
The revised bill received broad support from others in the federal community.
Sharon Bradford Franklin, senior policy counsel at The Constitution Project, said in a statement that the bill would “go a long way toward alleviating our concerns about the threats the cybersecurity legislation posed to our fundamental constitutional rights. The information-sharing provisions of this bill are now not only better than earlier versions offered in the Senate, but are vastly superior to those in the Cyber Intelligence Sharing and Protection Act (CISPA) passed earlier this year in the House.”
Leslie Harris, the president and CEO of the Center for Democracy and Technology, added in a statement that the privacy and civil liberties provisions addressed their concerns and makes the bill better than CISPA and McCain’s version.
Michelle Richardson, legislative counsel of the American Civil Liberties Union’s Washington Legislative Office, wrote in a blog that the bill improves privacy protections.