Revised Cybersecurity Bill Sparks Firestorm of Criticism

Legislation that only increases cyberthreat information is “not enough,” Obama wrote in a Wall Street Journal op-ed Friday (http://xrl.us/bnhkbo). “The American people deserve to know that companies running our critical infrastructure meet basic, commonsense cybersecurity standards, just as they already meet other security requirements,” he said. “It would be the height of irresponsibility to leave a digital back door wide open to our cyber adversaries.” Obama reaffirmed his desire for a cybersecurity approach that protects the privacy and civil liberties of the American people and said he would veto any bill that lacks such protection.

The Cybersecurity Act of 2012 would create a National Cybersecurity Council to do risk assessments to determine critical infrastructure sectors and compel the owners and operators of critical infrastructure to report significant cybersecurity incidents. The bill offers liability protections, expedited security clearances, threat information and technical assistance to owners and operators of critical infrastructure if they propose and comply with voluntary, technologically neutral cybersecurity practices. Though supporters of the bill touted the proposal as voluntary, the word “mandatory” appeared in the bill five times and in one section which allows federal regulatory agencies to “adopt the proposed cybersecurity regulations as mandatory requirements.” Sen. Dan Coats, R-Ind., said Friday in a statement via email he’s limiting his support to the SECURE IT Act (S-2151) and remains “concerned that some of the provisions [of the revised Cybersecurity Act] move beyond voluntary incentives and subject the private sector to mandatory requirements and burdensome regulations.”

These voluntary provisions are “clearly mandatory regulation[s] by another name,” said a spokesman for Sen. Lisa Murkowski, R-Alaska, a sponsor of the SECURE IT Act. The bill “says they are voluntary standards but the oversight agency has the option to make them mandatory,” the spokesman told us. “And the oversight [agency] can ‘change’ the standards as they please. There’s not much here that is truly voluntary.”

The leader of the House Republican Cybersecurity Task Force, Rep. Mac Thornberry, R-Texas, said Friday in an email he’s “encouraged” by the progress in the Senate. The revised approach is a “hopeful sign that we can get a cyber bill signed into law this year,” he said. “Obviously, there are a lot of issues to be resolved, and the Senate must approve a bill,” he said. “But if we all focus on passing a bill with those elements on which we all agree and then continue working on the more controversial issues, we will have taken a significant step toward improving the security of the nation."

The bill made significant improvements to ensure the protection of U.S. citizens’ privacy and civil liberties, advocacy groups said. The revised bill narrows the definition of what can be shared with the government and limits information sharing to civilian agencies like the Homeland Security Department, rather than with the National Security Agency, they said. “In terms of privacy, these changes make the Lieberman-Collins bill far superior to both the McCain bill [SECURE IT] and the House-passed CISPA,” HR-3523, said Center for Democracy and Technology President Leslie Harris. Free Press Action Fund Policy Director Matt Wood said he welcomed the “significant new provisions designed to limit its potential impact on privacy, civil liberties and Internet openness.”

The revised bill would forbid the government to disclose any information from private entities or from intercepting wire, oral or electronic communications unless authorized by law. The legislation would task agencies with securing the federal IT supply chain to ensure that the government only acquires secure technologies. The bill has provisions to boost cybersecurity education and research and development.

Industry, Cybersecurity Experts Clash

The revised bill is “even worse than the original” one, said a lobbyist for a utility trade group. It “creates a monolith” under the DHS to do comprehensive risk assessment, she said, and the incentives for industry participation in voluntary best practices are “woefully inadequate.” The only incentive is protection from punitive damages, she said. The proposed National Cybersecurity Council can make the voluntary best practices mandatory and uses the “guise of partnership with the DHS to impose a mandatory, coercive, regulatory system,” she said. The bill does not have the backing of the utility industry, she said.

The legislation would amend the current Federal Information Security Management Act (FISMA) guidance to authorize DHS to oversee the security of federal networks. The bill would consolidate DHS’ existing cybersecurity functions under a single National Center for Cybersecurity and Communications, which would facilitate cybersecurity information sharing between the federal government and the private sector. Cybersecurity experts were also disappointed with a revision they said lacks any real teeth to secure the U.S. from cyberattack. The “diluted” proposal is nothing but a “show piece,” said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. “This bill won’t do anything. ... At this point I don’t know if I will bother to track it any more,” he told us. The politics of an election year and heavy lobbying from telecom and energy companies “probably means we won’t succeed,” Lewis said. “Even if they pass it we will have to fix this later on.” Ultimately the American people lose out, Lewis said. “We shouldn’t be in a situation where national security comes second.”

Ex-DHS Assistant Secretary Stewart Baker said the new version of the bill won’t be as effective in improving security because it “drops a lot of the regulatory punch” that was in the original bill. “A mandate would require even reluctant businesses to upgrade their security,” said Baker, now a lawyer at Steptoe Johnson: “This version focuses on giving business incentives to improve security, such as protection from punitive damages liability.” The provision which authorizes federal agencies to mandate some cybersecurity rules would only apply to industries that are already regulated, Baker said. “If they're already regulated for other reasons, doesn’t it make sense to make sure they're also observing the most up-to-date security standards?”

There’s hope for the forthcoming amendment process where senators could add in some “easy fixes,” Lewis said. He suggested lawmakers resurrect a proposal to authorize the secretary of defense to designate specific critical infrastructure operators where cybersecurity rules would be mandatory because of the risk to national security. “If all we got out of this is better protection of the electrical grid, that would be a good thing,” said Lewis.

It’s “highly likely” that Senate Majority Leader Harry Reid, D-Nev., plans to bring the bill to the Senate floor for debate between now and the August recess, his spokesman told us. Lawmakers must first debate whether or not to extend the Bush tax cuts, the representative said. The Senate is scheduled to depart for its Summer recess Aug. 3, and not scheduled to return until Sept. 10.

Senate Energy and Natural Resources Committee Chairman Jeff Bingaman, D-N.M., plans to propose his Grid Cyber Security Act (S-1342) as an amendment to the bill when it comes to a floor, a spokesman said. The proposal would amend the Federal Power Act to develop adequate cybersecurity standards for critical electric infrastructure and would, among other proposals, require the Secretary of Energy to take immediate actions to mitigate a cybersecurity threat to the grid. “Just studying this issue and writing a report does not protect our nation’s grid,” the spokesman said. “It’s safe to conclude that Bingaman will see a study provision as insufficient and unsatisfactory.”