Competing cybersecurity bills offer best of both worlds

David Smith, Potomac Institute Cyber Center

Michael O'Connell | June 4, 2015 6:07 pm

The Senate now has two cybersecurity bills on its plate.

Last week, Sen. John McCain (R-Ariz.) and seven other Republican senators introduced the SECURE IT Act. The bill came two weeks after Sens. Joseph Lieberman (I-Conn.), Jay Rockefeller (D-W.Va.) Dianne Feinstein (D-Calif.) and Susan Collins (R-Maine) introduced the Cybersecurity Act of 2012.

Former Ambassador David Smith, now with the Potomac Institute Cyber Center, told The Federal Drive with Tom Temin there are things to like in both Senate bills.

“We have a serious national security issue and two teams of people have taken a crack at it,” Smith said. “I think each one of them has got some strong points. Rather than have a duel, we need to have the best of both and let’s do what’s right for the security of the country.”


Smith said part of the problem is that many of the assets government would be trying to protect with a cyber bill are now privately owned. Both bills currently on the table address this issue in different ways.

“Sen. McCain’s bill tries to do this in what is a voluntary partnership between these privately owned, critical infrastructure industries and the government,” Smith said.

The bill’s protections for privacy and the way the government obtains information are strong, Smith said. It also sets up research and development programs and defines what critical infrastructure is in a more focused way.

“There are criminal penalties that are established, not only for violating the act itself, but for certain things like damaging a critical infrastructure computer,” he said. “That would become criminalized.”

Smith believes McCain’s bill falls down, though, in making all of its proposed security measures voluntary.

“The problem with a private business is you’re always worried that the other guy is going to undercut you by not doing what you might volunteer to do,” Smith said. “So, you have a disincentive to spend that money that you have to spend on something like cybersecurity.”

The Lieberman bill offers many of the same protections as the McCain bill, but makes all of its cybersecurity measures mandatory.

“It gets right at that privately-owned, critical infrastructure. It is mandatory. The secretary, in combination with business, has to define what critical infrastructure is, then develop the standards, and then the industry can meet the standards any way it wants…I think we need to put the two together,” Smith said.

When asked if he thinks a cyber bill will become a reality, Smith said yes.

“There are some things in both of these bills we need to look at. Maybe there is a middle ground. Maybe there are some voluntary, but none-the-less, pretty strict guidelines that could be used with industry…I think we all ought to put our hands in this together and work it out, and I think there’s a pretty good chance that is going to happen.”


Analysis: Competing bills offer different approaches to cybersecurity

GOP cyber bill takes hands-off approach to industry

Senate cyber bill faces bumpy road ahead

Senators introduce long-awaited cyber bill