A group of Republican senators on Thursday unveiled their response to an omnibus cybersecurity bill now circulating in the Senate, taking a decidedly more hands-off approach to the regulation of private industry.
Unlike the competing “Lieberman-Collins cybersecurity bill, the GOP proposal, dubbed the “SECURE IT Act,” would grant no new authorities to the Department of Homeland Security or any other agency to enforce cyber safeguards on privately-owned critical infrastructure such as power grids and Internet service providers.
Instead, the approach would rely on what senators said would be new incentives for critical infrastructure operators to share threat information with one another and with federal agencies.
“In setting up our information sharing framework, we do not create any new bureaucracy,” said Sen. John McCain (R-Ariz.) “The goal is simple – to remove hurdles that prevent important information sharing with the people who need it most.”
McCain, the top Republican on the Senate Armed Services Committee, was joined at a Capitol news conference by seven other ranking GOP members of committees with large stakes in cyber issues, including Energy, Commerce, Intelligence, Judiciary and Veterans Affairs.
The senators argued that the Lieberman-Collins bill, which would give the Department of Homeland Security new authorities to define and regulate critical infrastructure, would hinder rather than help industry’s effort to secure its own infrastructure against cyber threats.
“It does not put industries in the position where they’re focused constantly on just the compliance aspect,” said Sen. Lisa Murkowski (R-Alaska). “They need to be focused on staying ahead of the cyber threat. If what they’re focused on is dotting every ‘i’ in an attempt to comply with the regulations, that’s not where the focus and energy should be.”
The bill introduced today would mandate information sharing by industry to the federal government in only one instance – when the threat information relates directly to a federal contract.
Otherwise, all information sharing about cyber threats would be voluntary, and the information would pass through existing regional federal cybersecurity centers operated by the National Security Agency. Senators said such sharing would be encouraged by new liability protections in their bill, including a provision that would shield companies from antitrust lawsuits when they share threat information with competitors. Companies would also be shielded from legal liability for actions they take to protect their own networks.
For federal agencies, the bill also would update the Federal Information Security Management Act (FISMA) to remove the “check the box” approach to compliance with federal IT security guidelines. The National Institute of Standards and Technology (NIST) would retain its role of setting security standards, but the Department of Homeland Security would be charged with carrying out an ongoing, automated threat assessment to provide a continuously-updated picture of the security of federal IT systems.
Additionally, civilian agencies would be required to report information about cyber threats and security incidents to federal cybersecurity centers, and agency chief information officers would be given statutory responsibility and authority to maintain an agency-wide IT security program.
The bill also includes provisions that senators said would strengthen and streamline criminal penalties against hackers and refocus federal cybersecurity research and development activities.
Lieberman, Collins, Rockefeller and Feinstein issued a joint statement on the alternative bill announced today.
“We are encouraged by our colleagues’ recognition that we must act to address the increasingly sophisticated and dangerous attacks on our national infrastructure. We can no longer delay action on deciding how to deal with this critical issue and we are eager to work with them to bring comprehensive cybersecurity legislation to the Senator floor as soon as possible.”
TechAmerica, a technology industry group, echoed those sentiments in a press release.
“”It is very encouraging to see a focus on cybersecurity by so many members of the Senate, and we urge the authors of both bills to work together to create the best possible, bipartisan framework to enhance our nation’s cybersecurity. While proposals on information sharing, FISMA reform and cybersecurity R&D form a common ground to begin those discussions, we also hope that efforts to include a national approach to data breach notification will continue…And, as discussions continue, we ask Senators to remember that preserving industry’s ability to innovate and nimbly respond to cyber-attacks is critical to our national and economic security.”
McCain said he and his colleagues would offer their bill as a substitute for the Lieberman-Collins cyber legislation that Senate Majority Leader Harry Reid intends to bring directly to the Senate floor, bypassing committee hearings.
“We’ll be using whatever parliamentary procedures we can to get consideration of our bill,” he said. “I would like to have the chance to amend that bill before it gets to the floor. Senator Reid has dictated that it’s going to come directly to the floor, that’s his right. But I have my rights when it gets to the floor.”