Senate Cybersecurity Bill Fails to Satisfy ‘Substantive Concerns,’ Senators Say

S-2105 was sponsored by Senate Homeland Security Committee Chairman Joe Lieberman, I-Conn., Ranking Member Susan Collins, R-Maine, Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., and Senate Intelligence Committee Chairman Dianne Feinstein, D-Calif. Lieberman said the bill would “begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation’s enemies.” Collins said the bill is needed to “achieve the goal of improving the security of critical cyber systems and protecting our national and economic security."

Rockefeller urged lawmakers to embrace the bill as a means to stave off a major cyber event, during a speech Tuesday on the Senate floor. “We are on the brink of what could be a calamity,” he said. The bill strikes the right balance, “without putting a new set of regulations on business,” and “it’s premised on companies taking responsibility for their own networks,” Rockefeller said. The bill also aims to improve threat and vulnerability information sharing between the public and private sectors while protecting privacy and civil liberties, he said.

Senate Majority Leader Harry Reid, D-Nev., urged lawmakers to move quickly in order to “give our national security community the tools they need to protect us.” The bill “strikes an appropriate balance between the demands of protecting our national security, the necessity of protecting private sector innovation, and the rights of individual citizens,” he said.

Senate Judiciary Committee Chairman Pat Leahy, D-Vt., welcomed the bill and said Senate consideration of cybersecurity legislation is “long overdue.” Sen. Tom Carper, D-Del., said he was encouraged that the legislation includes measures that “take necessary precautions to secure and protect the government networks that house Americans’ personal and sensitive information.” “Our critical infrastructure is dependent upon the security and resiliency of America’s information infrastructure. That’s why it’s so important that we work in a bipartisan manner to get a strong bill on the President’s desk soon,” Carper said.

But the bill did not satisfy some Republicans’ “substantive concerns” and “process concerns,” said a letter Tuesday by Sens. Kay Bailey Hutchison, R-Texas, John McCain, R-Ariz., Chuck Grassley, R-Iowa, Saxby Chambliss, R-Ga., Lisa Murkowski, R-Alaska, Jeff Sessions, R-Ala., and Mike Enzi, R-Wyo. The Republican group urged Majority Leader Harry Reid, D-Nev., and Minority Leader Mitch McConnell, R-Ky., to provide time for lawmakers to review the bill prior to its floor consideration “so that Senators can be properly educated on this complicated measure.”

Though the letter did not identify any specific concerns with the 207-page bill, it raised objections to the way it was drafted and its lack of consideration in the “relevant committees.” “Given the serious national security and economic consequences of any [cybersecurity] legislation, it is imperative that the other committees of jurisdiction be given the opportunity to shape the legislative outcome in a bipartisan manner,” it said. Reid’s decision to consider the legislation through bipartisan working groups was unfortunate because they met “infrequently -- if at all -- and did not function constructively,” the letter said.

Co-founder of the Congressional Cybersecurity Caucus, Rep. Jim Langevin, D-R.I., urged the Senate to pass the bill despite his reservations about private sector security requirements. “While I am hopeful we can continue to improve upon the critical infrastructure provisions regarding rules to ensure compliance with minimum security requirements that protect our citizens, we must not allow the perfect to be the enemy of the necessary,” he said.

The bill defines a U.S. system or asset as covered critical infrastructure if a cyberattack against it could interrupt life-sustaining services sufficient to cause a mass casualty event or mass evacuations, catastrophic economic damage to the United States or severe degradation of national security. Major generation transmission facilities and major water treatment facilities are systems that could fit the definition, said aides representing the Senate Commerce, Homeland Security and Intelligence committees during a press briefing Tuesday. The language reflects the critical infrastructure provision of the House PrECISE Act, which unanimously passed the House Cybersecurity Subcommittee earlier this month (CD Feb 2 p8).

Under the legislation, DHS would pursue a tiered development of cybersecurity performance requirements for covered critical infrastructure owners and operators. First the secretary of Homeland Security would collaborate with the private sector to determine which sectors of U.S. industry are most vulnerable to the risk of a cyber attack and should therefore be considered “covered.” Then the DHS secretary would identify where private sector performance requirements are inadequate and develop new performance requirements for owners and operators of covered critical infrastructure. Finally, the owners and operators of covered critical infrastructure would select and implement the cybersecurity measures they determine to be best suited for their operations.

Owners of critical infrastructure will be exempt from meeting federal performance requirements if they're already regulated by another federal agency or an owner can verify that it’s taken the necessary steps to protect its critical system from cyber attacks, the bill said. Third-party operators would conduct annual assessments for critical infrastructure operators to determine that the measures are sufficient to satisfy the DHS cybersecurity performance requirements. The bill gives the president the power to exempt covered critical infrastructure if he determines that the appropriate sector-specific agency has regulations in place to effectively mitigate the identified cyber risks.

"We are naturally delighted to see action on cybersecurity being considered in the Senate,” said Larry Clinton, president of the Internet Security Alliance. “There is a real opportunity here to craft a bill that can attract broad bipartisan support and make it through the Congress,” he told us Tuesday. “But the bill we are seeing this morning seems to depart from the consensus of all the other documents which argue for a system of [private sector] engagement and incentives and moves to a regulatory structure,” he said. “This has to be a solution that is going to motivate the private sector. If the owners and operators become more concerned with meeting a pre-set federal requirement than focusing on the evolving security threat in front of them, that makes the situation worse.”

The bill provides limited safe harbor protections to owners of covered critical infrastructure who are in “substantial compliance” with cybersecurity performance requirements. It also enables private entities to disclose or receive “lawfully obtained” cyberthreat information with the government and contains legal safeguards for private sector entities that voluntarily disclose cyberthreats.

The bill does not create a non-governmental entity to facilitate information sharing between the private sector and the federal government. Instead, it requires DHS to assign a federal entity as the lead cybersecurity exchange to facilitate information sharing, interaction, and collaboration among federal entities; state, local, tribal, and territorial governments; private entities; academia; international partners; and other cybersecurity exchanges. The bill also calls for an assessment of existing and proposed information sharing models to create the most effective program sometime in the future.

One “big negative” of the bill is that it doesn’t require a civilian authority to run the government’s information sharing regime, said Michelle Richardson, a legislative counsel for the ACLU’s Washington office. “I think the massive red flag is that the military could be the recipient of America’s Internet usage data,” she said. “You really upset the balance of power by inserting the military into this,” she told us Tuesday. Civilian agencies, on the other hand, have “all sorts of checks and balances. They are more accountable and generally less secretive.”

The bill calls for DHS to consolidate the National Cyber Security Division, the Office of Emergency Communications, and the National Communications Systems into a new National Center for Cybersecurity and Communications. The new organization would be directed by the secretary of Homeland Security and a member of the intelligence community, assigned by the director of national intelligence. The group would be composed of representatives from the departments of Defense, Justice, and Commerce and include a full time chief privacy officer to ensure the protection of privacy and civil liberties.

The bill aims to amend and modernize FISMA by requiring the federal government to develop a comprehensive acquisition risk management strategy. The changes would give DHS more oversight over FISMA, increase continuous monitoring and risk assessment of federal information systems, and clarify DHS authority over Einstein, the government’s intrusion detection and prevention system. The changes would also require federal agency heads to update information security programs and report on any significant security deficiencies.

The legislation also reforms the way cybersecurity personnel are recruited, hired and trained and calls for a cybersecurity research and development program to advance the development of new technologies. Proposals for data security breach notification and an update to the criminal codes could be included in the legislation, Senate Committee aides told reporters Tuesday.