Compromise in Air over Cyber BillBackers of Cybersecurity Act Hint of Conciliation
Aggressively pushing for enactment are the chairman and ranking minority member of the Senate Homeland Security and Governmental Affairs Committee, Joseph Lieberman, ID-Conn., and Susan Collins, R-Maine, who along with Jay Rockefeller, D-W.Va., and Dianne Feinstein, D-Calif., have sponsored the Cybersecurity Act of 2012 [see Senators Unveil Major Cybersecurity Bill].
Every few days, committee staffers have posted on the panel's website statements urging enactment of the legislation (see image below). What's interesting about the postings is that the same statements appear on the majority and minority news feed. Bipartisanship lives, at least among the committee's leaders.
While we might not agree on everything, let's agree on the things that we agree on and move forward.
But partisanship - or at least a philosophical difference on the role of government regulation - presents a big challenge to get the legislation enacted. The Cybersecurity Act includes provisions that would have the mostly privately owned operators of the nation's critical IT infrastructure identify standards to keep secure those networks that help direct the flow of energy, food, money and other vital things our economy relies on to function. But the bill also would give the government the authority to make sure they would adhere to those standards. To many Republicans, that's regulation.
Bill supporters contend that getting businesses to help define standards to adopt isn't as intrusive as the government determining on its own how industry should secure these vital networks. "This is not asking people to do what they shouldn't already be doing; [it's] just a core business process," White House Cybersecurity Coordinator Howard Schmidt said in an interview I had with him at the RSA Conference 2012 last week in San Francisco [view video Schmidt Hopeful on Bill's Passage].
Still, the government's role in insisting standards be met doesn't sit well with a group of senior Republican senators, who see the enforcement of security standards as regulations, or at least see the bill establishing a process where regulations could blossom [see Partisan Showdown over Cybersecurity Bill]. "Now is not the time for Congress to be adding more government, more regulation, and more debt, especially when it is far from clear that any of it will enhance our security," said Sen. Saxby Chambliss, the Georgia Republican who serves as ranking member of the Agriculture Committee. He's a co-sponsor of an alternate bill first championed by Sen. John McCain, R-Ariz.
(Blog continues after image.)
SECURE IT Act
That bill, introduced March 1, is known as the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act, or more simply, the SECURE IT Act. It's co-sponsored by most of the ranking members of Senate committees with cybersecurity oversight.
There are other differences between the two bills. The SECURE IT Act explicitly states that there would be no new funding to support cybersecurity. "An applicable federal agency shall carry out the provisions of this title with existing facilities and funds otherwise available, through such means as the head of the agency considers appropriate," the bill states.
The Cybersecurity Act would codify some of the authority the Obama administration has granted the Department of Homeland Security over federal civilian agency IT security. That bill also would establish a National Center for Cybersecurity and Communications within DHS, headed by a Senate-confirmed director, to coordinate federal efforts to battle cybersecurity threats. The SECURE IT Act does none of that.
The day the GOP senators introduced the SECURE IT Act, the four sponsors of the Cybersecurity Act said they were eager to work with them to bring comprehensive cybersecurity legislation to the Senate floor as soon as possible. But the next day, the four senators issued another statement reemphasizing their support for some enforceable security standards, saying: "We agree with former Homeland Security Secretary Michael Chertoff that risk-based security standards for critical infrastructure must be part of the solution."
(Chertoff is on opposite sides of this issue with his predecessor, the first DHS secretary Tom Ridge, who testified as a representative of the U.S. Chamber of Commerce against the stringent IT security standards before the Senate panel. Both former DHS secretaries served under a Republican president, George H. Bush.)
In some respect, both sides seem to be hunkering down.
At a House Energy and Commerce's Communications and Technology Subcommittee hearing on March 7, a panel of executives from Internet service providers cautioned Congress about enacting cybersecurity legislation that would have government regulate infrastructure operators on security. AT&T Chief Security Officer Edward Amoroso testified that regulation would be futile and inhibit innovation. "Burdening the private sector with the cost of unnecessary and ineffective regulations and processes is contrary to that objective, and will only slow advances in cybersecurity," he said.
And Panel Chairman Greg Walden, R-Ore., appeared to side with the ISPs in his opening comment, referring to "the legal and regulatory impediments to securing communications networks against cyberthreats." However, Energy and Commerce Committee Ranking Member Henry Waxman, D-Calif., said in his opening statement that the federal government has an important role to play in ensuring the cybersecurity of the nation's communications networks. "One important federal role is developing practices that will keep the Internet safe," he said.
Cybersecurity: A National Priority
The Obama administration considers cybersecurity a national priority, and President Obama urged Congress, albeit briefly, in his State of the Union Address in January to enact cybersecurity legislation [see The State of the Union's Cybersecurity]. And this week, DHS Deputy Undersecretary Mark Weatherford in a blog called for enactment of cybersecurity legislation, though he didn't explicitly mention regulation or standards enforcement.
"Congress is now poised to act on cybersecurity legislation," he wrote. "We must balance private-sector innovation with government accountability to protect the nation's cybernetworks, safeguard individual privacy and enhance the reliability and resiliency of our critical infrastructure. There will be debates about the legislative proposals in days and weeks ahead, but we owe the American public some basic upgrades to laws that enhance a safer cyberspace."
Other influencers, too, see the need for cybersecurity legislative reform now. "With cyberattacks becoming more sophisticated and pervasive, it is paramount that the federal government takes the steps necessary to prepare the nation to prevent and mitigate the effects of potentially catastrophic cyberattacks on the nation's critical infrastructure," the co-chairs of the 9/11 Commission and the Homeland Security Project at the Bipartisan Policy Center, Tom Kean and Lee Hamilton, wrote to Senate leaders earlier this week. They, too, didn't address regulation.
What both bills offer is improved sharing of information about cyberthreats between government and business; liability protection for businesses that share cyberthreat information; protection of intellectual property and trade secrets of businesses that share threat information; and updating the Federal Information Security Management Act, the decade-old law known as FISMA that governs federal government IT security.
When I spoke with Schmidt, he sounded as if the administration was prepared to deal and wasn't seeking an all-or-nothing bill. "While we might not agree on everything," he said, "let's agree on the things that we agree on and move forward."
Moving forward could mean legislation without tough standards enforcement.
There's one more reason to be optimistic that some type of legislation should pass this year. It's a personal matter with Lieberman, who has played a critical role in shaping government IT and IT security policy for more than a decade. He helped shepherd the E-Government Act and FISMA through Congress in 2002. Lieberman isn't seeking reelection, so seeing President Obama sign a cybersecurity bill before the senator leaves office would be a crowning achievement to end his 24-year Senate career. And, he's working hard to see that gets done.