The Senate’s comprehensive cybersecurity bill may have been three years in the making, went through multiple renditions and been reviewed by hundreds of people in Congress, industry, the government and academia, but it’s far from a done deal.
A growing number of Republican lawmakers and industry officials are concerned about the section of the bill trying to address perceived vulnerabilities in critical infrastructures, such as power grids, water systems and telecommunications services.
The U.S. Chamber of Commerce joined in with a chorus of Republican lawmakers charging the bill calls for too much regulation by the Homeland Security Department of critical infrastructure owners and operators. They also say the bill calls for redundant oversight mechanisms.
What the lawmakers and industry groups don’t disagree on is the immediate need for comprehensive cyber legislation to combat the growing threat.
The issue is how best to get there. “I question why we have yet to have a serious discussion on who is best suited to protect our country from this threat,” said Sen. John McCain (R-Ariz.), Thursday during a hearing on the Cybersecurity Act of 2012. “If the legislation before us today would be enacted into law, unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses, which own roughly 90 percent of the critical cyber infrastructure. The regulations that would be created under this new authority would stymie job creations, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates.”
Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.) and Diane Feinstein (D-Calif.) introduced the bill Tuesday. Senate Majority Leader Harry Reid (D-Nev.) put the bill on the Senate’s calendar to bring it to the floor for a vote in the coming weeks.
Legislative process is “ridiculous”
Reid’s actions didn’t sit well with McCain. He said the majority was hurrying through the legislative process, calling it “ridiculous” to put the bill on the calendar without any hearings or markups.
Lieberman and Collins throughout the hearing tried to refute criticisms of the bill.
“We have reached out not only to everybody who was possibly interested in this bill outside of the Congress, but opened this process to every member of the Senate who wanted to be involved,” Lieberman said responding to McCain’s criticisms. “We pleaded for involvement. A lot of people, including yourself, have not come to the table.”
McCain also questioned whether the bill had been too influenced by technology company lobbyists.
“I’d like to find out over the next few days what specific factors went into providing regulatory carve outs for the IT hardware and software manufacturers,” McCain said. “My suspicion is this has more to do with garnering political support and legislative bullying than sound policy considerations. However I think the fact that such carve outs are included lends credence to the notion that we shouldn’t be taking the regulatory approach in the first place.”
A Senate staff member said earlier in the week at a press briefing that if critical infrastructure systems included common technology hardware and software, such as those made by Microsoft or Cisco, the owners and operators also would have to apply needed cyber fixes to those commercial-grade IT.
McCain said he and six other Republican Senators will introduce their version of a comprehensive cybersecurity bill after the President’s Day recess. He said it will focus on a collaborative approach with industry that stresses information sharing.
Lieberman applauded the prospect of the bill, saying it was about time these members got involved in this national security issue.
Others express disapproval
McCain wasn’t alone in offering disapproval of the bill. Former DHS Secretary Tom Ridge told the committee, on behalf of the U.S. Chamber of Commerce, that the bill focuses too much on regulation and not enough on collaboration and information sharing.
“We don’t need a piece of legislation, at least from the Chamber’s point of view, that identifies critical infrastructure. We’ve been working on that for 10 years,” he said. “What we do need and where we tip the hat because compared to the first mark of the President’s bill to this mark, the information sharing…is a vast improvement from the one that was initially considered by the administration. We are not ready to embrace it in its totality, but the concept, the focus and the direction of it being bilateral is the way to go.”
Ridge also said the critical infrastructure operators already understand the importance of cybersecurity because their customers and profits demand it. He said the critical infrastructure sector coordinating councils provide a successful collaborative environment between government and industry, and the provisions in the bill to make information sharing easier are more important than DHS oversight and regulation.
The four authors of the bill thought they had vetted the legislation widely and broadly enough.
Collins said since 2005 the Homeland Security and Governmental Affairs Committee has held 10 hearings on the cyber threat and has been working on this latest bill for almost a year.
Collins went through a number of changes requested by the Chamber. She said the bill includes a provision allowing critical infrastructure sectors already regulated by the government to be eligible for waivers, and entities able to prove they are sufficiently secured would be exempted from most of the requirements under this bill.
She said the bill would require the use of existing cybersecurity requirements and current regulations.
Ridge acknowledged the changes to the bill, but said it also gets to the heart of the problem.
“Some of that oversight is being done within the existing process and protocol,” Ridge said. “And with the dramatic potential changes in the information sharing, it’s a system that will work.”
Most pressing legislative priority
On the other side of the spectrum, DHS Secretary Janet Napolitano told the committee the administration supports the bill and believes it is the most pressing legislative priority before Congress today.
She tried to address each of the three areas of concerns outlined by McCain, Ridge and others. Napolitano said the first area of confusion is that the bill is a regulatory bill and it will be burdensome to comply.
“It’s a security bill not a regulatory bill,” Napolitano said. “It really is designed with making sure we have a basic level of security and we have a way to exchange information that allows us to do that without private sector parties being afraid of violating other laws.”
The second concern is around privacy. Napolitano said the American Civil Liberties Union supported the tact the drafters took to ensure civil liberties were not encroached upon.
Finally, she said DHS’ new role would not duplicate efforts by the NSA.
“We are taking the NSA and using it to the extent we can within the framework of the bill to protect our cyber networks,” she said. Napolitano and bill supporters also received some unexpected support from the Defense Department.
Lieberman said Defense Secretary Leon Panetta; Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff ; James Clapper, the director of National Intelligence; and Gen. Ronald Burgess, the director of the Defense Intelligence Agency threw their collective weight behind the bill while testifying earlier this week before the House and Senate armed services committees.
“We can’t place enough emphasis on it,” Dempsey said, adding that there is nowhere in the U.S. that is adequately protected against cyberattacks by fringe groups and hackers.
More controls are needed
In fact other experts at the hearing pushed lawmakers to tighten DHS’ control over critical infrastructure owner and operators.
Stewart Baker, a former DHS and NSA official and now a lawyer with the firm of Steptoe and Johnson, and James Lewis, a senior fellow at the Center for Strategic and International Studies, told Senate lawmakers the bill could let many companies avoid regulation entirely or drag out the process for up to eight years before they would actually have to improve their computer security.
The legislation would limit the number of industries subject to regulation to those in which a cyberattack could cause “an extraordinary number of fatalities” or a “severe degradation” of national security.
“So an individual infrastructure owner, such as a rural electricity provider, has no responsibility under this title if it can show that an undefended cyberattack would only cause an ordinary number of fatalities?” Baker said. “How many dead Americans is that, exactly?”
Lewis said the bill has been weakened by corporate and other interests arguing against any attempt at regulation.
By using “terms like mass casualties, mass evacuations, or effects similar to weapons of mass destruction, we are essentially writing target lists for our attackers,” said Lewis. “They will attack what we choose not to defend.”