Senate Cybersecurity Debate to Begin Before August Recess, Lawmakers Say
Majority Leader Harry Reid, D-Nev., told members he hopes to bring cybersecurity legislation to the Senate floor sometime “between now and the time we adjourn in August,” said Senate Energy and Natural Resources Committee Chairman Jeff Bingaman, D-N.M. His comments came Tuesday during a cybersecurity hearing held by his committee. We were unable to confirm the time line with staff from Reid’s office, but Senate lawmakers said they're working to wrap up the bill before the month-long recess.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Bingaman said he remains concerned that the cybersecurity reliability system for utilities is too “cumbersome,” “overly complicated” and inadequate to prevent cyberattacks. “We still do not have an effective system in place to require action in the face of an imminent cyberattack,” he told witnesses. Officials from the GAO and energy regulatory agencies reaffirmed that cybersecurity legislation should encourage cyberthreat information sharing between the public and private sector that’s timely, actionable and anonymized.
Ranking Member Lisa Murkowski, R-Alaska, emphasized her desire to avoid a cybersecurity approach that forces the private sector to comply with prescriptive, “check the box” compliance mandates. “I think there’s near agreement that we need a comprehensive approach to the cybersecurity problem,” she said. “Some would have us believe that only the Department of Homeland Security (DHS) and a host of new federal regulations will protect us, but I don’t think granting federal regulators broad new powers is the right approach.” Murkowski is a sponsor of a cybersecurity bill, the SECURE IT Act (S-2151), which intentionally omits any federal requirements for owners and operators of critical infrastructure to increase their cybersecurity protections.
Sen. Al Franken, D-Minn., is concerned about the security of the U.S. IT supply chain, he said, and asked witnesses if utilities are testing imported devices for malicious code. Federal agencies “really haven’t established effective mechanisms to adequately address that vulnerability,” replied Gregory Wilshusen, GAO’s director of information and technology. He said GAO is analyzing the Obama administration’s national strategy for global supply chain security.
Senate Homeland Security and Governmental Affairs Committee Ranking Member Susan Collins, R-Maine, said in an interview at the Capitol that she’s “hopeful” there will be enough support to pass a bill. She was particularly encouraged by the “very constructive proposals” offered by Sen. Sheldon Whitehouse, D-R.I., and Minority Whip Jon Kyl, R-Ariz., she said. Collins is one of the authors of the Cybersecurity Act (S-2105), which gives DHS the authority to identify where private sector performance requirements are inadequate and develop new performance requirements for owners and operators of covered critical infrastructure.
Whitehouse and Kyl have been working for months to develop language that would garner support from opponents of industry cybersecurity performance requirements but so far an accord has proved elusive. Whitehouse is optimistic a compromise can be found, he told us. “So far, so good -- we just hope we can wrap it up in time.”