Senate Ironing Out Critical Infrastructure, Information Sharing, Other Issues to Bring Forth Cyber Bill

Sen. Dianne Feinstein, D-Calif., expects Congress to act this year. “I believe a bipartisan consensus is emerging that balances network protection with privacy and civil liberties,” she said in a statement. The Senate has shifted from holding hearings to drafting and debating bills, “and we're clearly nearing a point where legislation will be brought to the Senate floor."

Sen. Joe Lieberman, I-Conn., chairman of the Senate Homeland Security and Governmental Affairs Committee, said consensus is growing around covered critical infrastructure within working groups. He’s “ready and eager to bring comprehensive cybersecurity legislation to the floor,” a committee aide said. Lieberman introduced S-1430, which proposed emergency powers for the president. A draft of a proposal on protecting critical infrastructure does not include language defining authority for the Obama administration in the event of a cyber emergency. The draft was authored by a Senate working group, a committee spokeswoman said.

"A growing number of cyber incidents have risen the awareness level of the issue in Congress helping to build even more consensus around efforts to pass legislation,” said an aide for the Commerce Committee. Chairman Jay Rockefeller, D-W.Va., “is confident the Committee’s expertise will be a key part in negotiating the terms of an agreement.”

Senate Majority Leader Harry Reid, D-Nev., plans to bring comprehensive legislation to the floor during the chamber’s first work week (CD Nov 18 p11), but whether he moves an omnibus bill remains to be seen, said Jim Dempsey, public policy vice president at the Center for Democracy & Technology. “To complicate matters further, the senior Republican leaders in the Senate have recommended that the Senate legislation cover information sharing, FISMA, the Computer Fraud and Abuse Act and cybersecurity research only.” This piecemeal approach mirrors the House’s preference for a “discrete bill addressing specific issues,” he added. Reid’s office didn’t return a request for comment.

White House Cybersecurity Coordinator Howard Schmidt urged Congress to pass comprehensive cybersecurity legislation this session, rather than several limited bills, in a White House blog post (http://xrl.us/bmpzgn). “It is our sincere hope that members of Congress will ... continue to work in a bipartisan manner to quickly enact legislation to address the full range of cyber threats facing our nation,” said Schmidt.

Schmidt’s remarks stand in stark contrast to the recommendations of the House Republican Cybersecurity Task Force and its leader, Rep. Mac Thornberry, R-Texas. At a House Small Business Committee hearing in December, Thornberry said cybersecurity legislation should be addressed in piecemeal fashion rather than pushing for one comprehensive bill. The GOP task force also suggested that information sharing occur through the conduit of a new, non-governmental entity and urged federal incentives, rather than federal mandates, as a means to promote greater cybersecurity in the private sector.

Schmidt threw cold water on a cybersecurity information sharing bill proposed last year by House Intelligence Committee Chairman Mike Rogers, R-Mich., and Ranking Member Dutch Ruppersberger, D-Md. The Cyber Intelligence Sharing and Protection Act aims to increase cyberthreat information sharing between national intelligence agencies and the private sector. But Schmidt said that “only providing incentives for the private sector to share more information will not, in and of itself, adequately address critical infrastructure vulnerabilities.”

The need for information sharing is supported in legislation from the Senate, House and White House. Some experts said there’s agreement that information sharing is critical, but Congress must work out details to make it as effective as possible. The private-public component of information sharing “needs to be worked out very carefully,” said David Valdez, public advocacy senior director at CompTIA. There should be some liability provision so that companies “are not fearful of sharing information out of concern it'll be misused or used by law enforcement to initiate criminal action against critical infrastructure owners or operators."

A requirement for the flow of information between the private sector and government will be difficult to establish, Dempsey said. The Senate will need to work out “what private sector information could or should flow back to the government and how can you promote information sharing among the private sector so they can share information with each other and learn from each other’s experience."

In addition to information sharing, other issues should be included, like data breach notification, FISMA reform, research and development, and workforce enhancement, said Randi Meyers, federal government affairs director at TechAmerica. However, the Senate must still work on regulating and defining critical infrastructure, she said. CompTIA thinks “they're moving in the right direction on critical infrastructure but not there yet,” said Valdez. The Senate hasn’t pinned down how critical infrastructure should be protected, he said. There are questions around whether a third-party assessment of critical infrastructure protections should be required, he said. “I do think it’s possible that there will be emerging consensus in the weeks to come.”