Fissures Deepen in Senate Cybersecurity Debate
The Senate agreed Thursday to begin debate on the Cybersecurity Act of 2012 (S-3414), but members were quick to trade barbs over the current bill’s ability to protect U.S. critical infrastructure systems from cyberattack. Sponsors of an alternative cybersecurity bill, the SECURE IT Act (S-2151), said they did not support the bill in its current form but agreed to move forward as long as there was an open amendment process.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Substantive debate on the bill will “most likely’ begin Tuesday, a spokesman for Majority Leader Harry Reid, D-Nev., said, but some debate on the bill may begin as soon as Monday. Members on both side of the aisle said they plan to offer a host of amendments to strengthen the bill’s privacy protections, decrease the authority of the Department of Homeland Security (DHS) over cybersecurity operations and add a five-year sunset provision, among others.
Commerce Committee Ranking Member Kay Bailey Hutchison, R-Texas, said in a speech given on the Senate floor she plans to offer the SECURE IT Act as an amendment in the nature of a substitute to S-3414. She and the other sponsors of the SECURE IT Act touted their legislation as a voluntary, industry-driven approach to secure networks that does not impose burdensome costs on owners and operators of critical infrastructure. The SECURE IT Act is sponsored by GOP Sens. John McCain of Arizona, Chuck Grassley of Iowa, Saxby Chambliss of Georgia, Lisa Murkowski of Alaska, Dan Coats of Indiana, Ron Johnson of Wisconsin and Richard Burr of North Carolina.
The key to reaching consensus on the cybersecurity bill pivots on the Senate’s ability to adhere to five principles, Hutchison said. First, the cybersecurity standards must be developed by the private sector and must be truly voluntary. Second, the National Institute of Standards and Technology should be the convening authority for the private sector standard-setting process and there should be no regulatory regime. Third, the bill should contain robust protections for businesses from legal liability and necessary antitrust and Freedom of Information Act exemptions. Fourth, the information sharing provisions must be strong and must encourage the government to share with the private sector. The national security agencies “should not have to be subservient to DHS,” she said. Finally, the bill must contain a five-year sunset to allow the government to revisit the act, she said.
McCain again slammed S-3414, saying it would harm the economy and expand the size and reach of the government if it passes in its current form. He specifically grated against putting DHS with its “abysmal track record” in charge of “sensitive national security matters,” he said. “They can’t even screen airline passengers without constant controversy.”
McCain specifically objected to Title I of the bill, which he said would allow the government to require businesses to adopt the bill’s so-called voluntary critical infrastructure cybersecurity standards. He read a portion of Section 103 in the bill that allows federal regulatory agencies to “adopt the cybersecurity practices as mandatory requirements.” Section 103 of the bill reveals the “true regulatory intent” of the proponents of this bill, McCain said. McCain also objected to the “counterintuitive” information sharing provisions contained within Title VII of the bill that excludes the National Security Agency (NSA) and Defense Department from collecting information from the private sector.
Senate Privacy Subcommittee Chairman Al Franken, D-Minn., said SECURE IT and the House-passed Cyber Intelligence Sharing and Protection Act (CISPA) (HR-3523) are far worse alternatives. These bills would permit military agencies to share and monitor American’s private communications with impunity, he said. “The gatekeeper of this information should never be the military or the NSA,” Franken said. “That institution has too dark a history of spying on innocent Americans to be trusted.”
Franken acknowledged that S-3414 is not perfect but said that when it comes to protecting civil liberties and privacy, S-3414 “is the only game in town.” Franken said the revised bill includes provisions to hold companies accountable if they intentionally violate citizens’ privacy and allow citizens to sue the government for privacy violations. Franken said he planned to offer an amendment that would delete any provisions in the bill that permit ISPs to monitor communications and deploy countermeasures to protect their systems from cyberthreats.
Senate Majority Whip Dick Durbin, D-Ill., said he too was wary of sharing cybersecurity information with agencies that are “shrouded in secrecy.” “We ask that the first line of review be with a civilian agency, subject to congressional oversight,” he said. Nevertheless that does not mean that the agencies will “never be able to apply their expertise to analyze and mitigate cyberthreats,” he said. S-3414 requires that relevant cyberthreat information is shared by the NSA and DOD in real time, he said. “Waste no time doing it, send it to the agencies if there is any perceived threat to America’s security.”
The White House separately said it supports the revised bill, which it said improves the nation’s cybersecurity while protecting the privacy, confidentiality and civil liberties of U.S. citizens, in a policy statement published Thursday (http://xrl.us/bniaq7). Though the bill’s protections for critical infrastructure are “less robust” than previous legislative drafts, the bill contains significant improvements, the administration said. The White House said it would not support any amendments that weaken the government’s existing cybersecurity authorities, DHS cybersecurity authority, or substantially expand liability protections for private sector entities.
The U.S. Chamber of Commerce said Wednesday it strongly opposed the “deeply flawed” bill, which it said was rushed to the floor and “remains a moving target.” The Chamber urged senators not to vote for the bill and urged them instead to advance “non-regulatory” bills like CISPA and SECURE IT. The comments were in a letter signed by Chamber Executive VP-Government Affairs Bruce Josten.
The Chamber said the voluntary critical infrastructure cybersecurity standards could be used to impose new obligations on U.S. businesses. The bill gives federal agencies the authority to modify or amend the standards in a way that could make them into “overly prescriptive” practices. The Chamber said it would be costly and time-consuming for businesses to comply with the bill’s third party assessment requirements, which could actually create new risks.
The Chamber objected to the “name and shame” provision of the bill’s marketplace information section, which would require businesses to disclose when they have suffered a cybersecurity event. The bill also gives DHS too much control over the information sharing proposal and eliminates the DOD and NSA’s ability to receive cybersecurity information from the private sector. Such an approach creates silos that would “diminish the timeliness and quality of the threat data exchanged,” the letter said.
Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, I-Conn., said he was disappointed with the Chamber’s letter. “We can’t afford to be inflexible,” he said. “We can’t be closed to compromise because of the urgency of the threat to the country. I hope our friends at the Chamber will reconsider the tone of their opposition.” Lieberman argued that the bill has been a long time in coming. “I attended my first hearing on cybersecurity ... back in 1998,” he said. “This bill has been aired and worked on and is ready for action.”