Senate to Debate Cybersecurity Bill Later this Week, Sponsors Say

Senate Majority Leader Harry Reid, D-Nev., plans to offer a motion Friday to proceed with debate on the bill, Lieberman told reporters after the briefing. “Sen. Reid has put us on notice that we should stay in Washington this weekend because he may want to begin debate or process amendments. And in my opinion, what he also wants to make sure is that we start the debate on Monday morning.” The Senate is scheduled to depart for summer recess Aug. 3, and scheduled to return Sept. 10. Reid’s spokesman didn’t comment.

The bill isn’t perfect and represents a compromise that offers the Senate’s best chance to pass cybersecurity legislation this year, said Ranking Member Susan Collins, R-Maine. Lieberman agreed: “If in our quest for cybersecurity legislation we allow the perfect to be the enemy of the good, we will end up allowing our real enemies to destroy an awful lot that is good in our country.” Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., and Sen. Tom Carper, D-Del., were also at the news briefing. Sponsor and Senate Intelligence Committee Chairman Dianne Feinstein, D-Calif., didn’t attend.

The four sponsors said they made significant changes to the bill that they hope will sway enough opponents to vote for the new bill. “I have never seen in any bill so much give and take,” said Rockefeller. “We compromised more perhaps than I would have liked.” Rockefeller said there may be more compromises to forge after the bill reaches the Senate floor.

The four sponsors said they'll pursue an open amendment process to allow anyone to offer germane and relevant amendments to the bill. Senate Energy and Natural Resources Committee Chairman Jeff Bingaman, D-N.M., plans to propose his Grid Cyber Security Act (S-1342) as an amendment to the bill when it comes to a floor, a spokesman had said (CD July 23 p6). That proposal would amend the Federal Power Act to develop what the legislation calls adequate cybersecurity standards for critical electric infrastructure and would require the secretary of energy to take immediate actions to mitigate a cybersecurity threat to the grid. Lieberman said he thought Bingaman’s amendment would be germane and relevant and said he will work with him “to see if we can find a way to incorporate at least some of the essential principles of that amendment.”

But two GOP sponsors of the SECURE IT Act (S-2151) said they oppose the revised Senate Cybersecurity Act as a viable way to secure the nation. Though sponsors of S-3414 say their bill mostly contains voluntary cybersecurity standards for owners of critical infrastructure, the SECURE IT Act lacks provisions or requirements to compel owners and operators of critical infrastructure to increase their cybersecurity protections. The SECURE IT Act is sponsored by GOP Sens. John McCain of Arizona, Kay Bailey Hutchison of Texas, Chuck Grassley of Iowa, Saxby Chambliss of Georgia, Lisa Murkowski of Alaska, Dan Coats of Indiana, Ron Johnson of Wisconsin and Richard Burr of North Carolina.

McCain believes S-3414 in its current form has “zero chance” of passing in the House “or ever being signed into law,” he said in a late Monday Senate floor speech. The “controversial and flawed bill” should certainly not take precedence over other critical pieces of legislation like the 2013 defense authorization bill, he said. “The cybersecurity bill that [Reid] intends to call up later this week is greatly in need of improvement, both in the area of information-sharing among all federal agencies and the appropriate approach to ensuring critical infrastructure protection,” McCain said. “When there are less than 27 days of possible legislative session before the election recess, I find it difficult to understand why the majority leader would be willing to tie up the Senate’s time on this flawed bill.”

Reid rejected McCain’s call to delay consideration of cybersecurity legislation. Reid plans to address both the cybersecurity bill and the defense authorization bill this session, he said in a floor speech Tuesday. “We need to move rapidly to address the gaping hole in our defenses against cyberattack,” Reid said. “Failing to act on cybersecurity legislation not only puts our national security at risk, it recklessly endangers members of our armed forces and their missions around the world. … But acting to secure our critical networks doesn’t mean we won’t also pass a defense bill.” Reid is making the right decision to advance the cybersecurity bill first, Lieberman said. “Both the defense authorization bill and the cybersecurity bill are important, but in terms of urgency I think the cybersecurity bill is more urgent."

Johnson sees “major problems” with S-3414 despite efforts to alleviate the concerns of industry representatives and privacy hawks, he said by email late Monday. The bill “sets up a process in which cybersecurity standards are ultimately determined by the federal government,” Johnson said. “It incentivizes new federal regulations by requiring a report to congress if agencies do not impose regulations. A better approach is to take advantage of private sector incentives to improve cybersecurity.” Spokesmen for Coats and Murkowski said the senators also oppose the revised cybersecurity bill.

Lieberman clarified that though the bill’s regulations are voluntary, there’s “only one” mandate in S-3414: If an operator of critical infrastructure knows they have been attacked, they have to report that to the government. “I'm a little concerned that some of the language in the bill may worry people more than they should be worried,” he said. “Sen. Collins talked about this and we're going to look at those sections just to make sure we can reassure people.” Lieberman said there’s also a section in his bill that says nothing in the legislation is intended to add anything to the existing authority of the primary regulators of critical infrastructure.