Support Builds for Action on Senate Cybersecurity Bill

"If we don’t act now to secure our computer networks, sometime in the near future we will be forced to act in the middle of a mega cybercrisis,” he said. “And in those situations, Congress rarely does its best work. That’s why it is essential we pass this bill now.” Lieberman sponsored the Cybersecurity Act along with Ranking Member Susan Collins, R-Maine, Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., and Senate Intelligence Committee Chairman Dianne Feinstein, D-Calif. (CD Feb 15 p9).

Lieberman rejected calls to slow the bill’s consideration, saying the legislation had been “thoroughly vetted” prior to introduction. The bill, which was formally introduced Tuesday, faced scrutiny from seven Republicans who urged Senate Majority Leader Harry Reid, D-Nev., and Minority Leader Mitch McConnell, R-Ky., to delay the bill’s floor consideration “so that Senators can be properly educated.” That request came in a letter sent Tuesday. “It is imperative that the other committees of jurisdiction be given the opportunity to shape the legislative outcome in a bipartisan manner,” said a letter Tuesday by Sens. Kay Bailey Hutchison, R-Texas, John McCain, R-Ariz., Chuck Grassley, R-Iowa, Saxby Chambliss, R-Ga., Lisa Murkowski, R-Alaska, Jeff Sessions, R-Ala., and Mike Enzi, R-Wyo. But Lieberman said “we are not rushing this. This bipartisan legislation has been three years in the making and its outlines have not only been shared with stakeholders and the public, but their input has helped shape the final version of the bill before us today.”

Lieberman sought to quell private sector concerns that the legislation would impose new requirements on businesses and said “there is nothing in this bill that would stifle innovation. The bill focuses on securing that which is not secure today -- not on putting new requirements on companies that are doing all the things they should be doing to protect both themselves and our national security.”

Lieberman confirmed that the highly contentious “kill switch” provision in his previous cybersecurity bill, the Protecting Cyberspace as a National Asset Act, was not included into the most recent version. Public opposition to the provision effectively sunk Lieberman’s prior bill despite the fact that it would explicitly forbid the president or “any other officer or employee of the federal government” to shut down the Internet. Lieberman told lawmakers that the Cybersecurity Act “does nothing to affect the day-to-day workings of the Internet” and so public reaction to the bill would not be inflamed like it was with the Stop Online Piracy Act and the PROTECT IP Act.

The Obama administration was pleased with the “comprehensive approach” in the Senate Cybersecurity Act, a White House spokesman told us. “We fully support the fact that the bill provides DHS the authority to address critical infrastructure risks and to enable greater sharing of cybersecurity information while preserving privacy and civil liberties."

A senior administration official said the bill would enable the government to work with critical infrastructure companies to ensure they are “adequately understanding and addressing the nation’s cyber risks.” The legislation also would ensure more information sharing about cyber risks, give critical infrastructure companies the ability to alert government agencies about serious breaches, and enable the government to help companies protect against the online theft of intellectual property, the official said. The White House offered its cybersecurity recommendations in May and asked Congress to revise the Federal Information Security Management Act, enhance intrusion prevention systems and increase federal cybersecurity recruitment (CD May 13 p10).

The military “strongly supports” the Cybersecurity Act, said Chairman of the Joint Chiefs of Staff Gen. Martin Dempsey during a Senate Armed Services Committee hearing Tuesday. The legislation helps “to get us in the proper place in dealing with the cyberthreat, which is significant and growing,” he said. Undersecretary of Defense Robert Hale said at the hearing that the bill “reflects all of the issues that we think are important to address.” Hale testified that the Defense Department would work with the Senate to ensure that it “addresses our concerns about trying to make this country better prepared to deal with the cyberissues that I think are growing every day.”

While dialogue around cybersecurity has come a long way, the nation still lags behind in recognizing problems and enhancing its defenses, Rep. Jim Langevin, D-R.I., said Wednesday during an event at the Crowell Moring law firm in Washington. The event was sponsored by the American Bar Association’s Section of Science & Technology Law. Cyberattacks grow ever more sophisticated and damaging, said Langevin, co-chairman of the House Cybersecurity Caucus and former chairman of the House Cybersecurity Subcommittee. “Cybersecurity, I don’t believe, is a priority for personal users. It’s not a priority for many corporations and unfortunately, it’s not even a priority for some in government and it’s costing us."

With the sophistication of hackers and the ease of launching an attack, it’s time for a new take on cybersecurity, Langevin said. A cyberwar may seem far off, “but we're already beginning to see great interest in this area among the hacker community,” he said. “It used to take a sophisticated hacker to pull off a distributed denial of service attack.” Now “all you need is an Internet connection and the right tools” and a few angry individuals.

Langevin said he is pleased with efforts made on Capitol Hill and at the SEC to guide companies on cyberincident disclosures. Current legislative proposals streamline the classification process, he said. They would ensure the transmission of new threat information to the private sector “while also establishing a system that allows businesses to communicate threats to government, without the risk of divulging personal or proprietary information.” The House Intelligence Committee passed the Cyber Intelligence Sharing and Protection Act in December. The bill would give government the authority to share threats with and obtain information from companies, he said. While supporting the intent of the legislation, Langevin said he has concerns that the language doesn’t go far enough in protecting personal data: The language should be more specific and state that “personal and private information couldn’t be transmitted to government.”