Compromise cybersecurity bill still draws GOP fire
Connecting state and local government leaders
Sen. Joe Lieberman and his bipartisan co-sponsors say it's not SOPA or PIPA and doesn’t have a kill-switch provision, but Republicans committee leaders say it still overreaches.
A cybersecurity bill has been introduced by Sen. Joseph Lieberman (I-Conn.) and bipartisan co-sponsors that would clarify the Homeland Security Department’s authority for overseeing the security of privately owned critical infrastructure and reform the Federal Information Security Management Act.
Under the bill, the Cybersecurity Act of 2012, DHS would establish security performance requirements for systems designated as critical infrastructure. System owners would be able to self-certify compliance with the requirements and the department could seek civil penalties for failures.
FISMA would “focus on continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting.”
Related stories:
Senators spar over who should lead on cybersecurity legislation
Congress backs away from SOPA, PIPA in face of public outcry
A group of Republican senators has called for hearings on the legislation before seven committees in addition to the Homeland Security and Governmental Affairs Committee, where it was introduced Feb. 14.
Lieberman is chairman of the Senate Homeland Security and Governmental Affairs Committee. The bill was co-sponsored by the committee’s ranking Republican, Sen. Susan Collins of Maine, as well as Democratic senators Dianne Feinstein of California and Jay Rockefeller of West Virginia.
The authors of this latest bill seek to distance it from controversial provisions of earlier versions, and from other unrelated bills in both houses.
“The senators stressed that the Cybersecurity Act of 2012 in no way resembles the Stop Online Piracy Act or the Protect Intellectual Property Act,” introduced in the House and Senate, respectively, and which generated public opposition, they said in announcing the legislation.
The latest bill also has dropped emergency authority for the president to disconnect portions of the critical infrastructure from the Internet, and it does not require a special White House cybersecurity office.
Despite these efforts, plans to move the bill through the Homeland Security and Governmental Affairs Committee have generated controversy among ranking Republican members of several other Senate committees that also claim jurisdiction over cybersecurity issues.
The senators in a Feb. 14 letter to Majority Leader Sen. Harry Reid (D-Nev.) said they agreed on the need for improved cybersecurity but added “we have yet to find broad bipartisan agreement on the most effective legislative solution.”
They complained that the bill “does not satisfy our substantive concerns, nor does it satisfy our process concerns,” and said it is imperative that other committees have a hand in shaping it. “The relevant committees have not had the opportunity to weigh in on this measure even though it cuts across committee jurisdiction.”
The authors of the letter are senators Kay Bailey Hutchison, Commerce, Science and Transportation; John McCain, Armed Services; Chuck Grassley, Judiciary: Saxby Chambliss, Select Committee on Intelligence; Lisa Murkowski, Energy and Natural Resources; Jeff Sessions, Budget; and Mike Enzi, Health, Education, Labor and Pensions.
The new legislation is a merger of bills that had been considered in the last session of Congress by the Senate Homeland Security and Governmental Affairs and the Commerce Committee. The authors said it reflects recommendations from the IT, financial services, telecommunications, chemical and energy industries, along with national security, privacy and civil liberties experts.
The bill would require DHS to do risk assessments of the nation’s privately owned networks and systems and designate critical infrastructure based on their current levels of security, the potential impact of disruptions and the threat of disruption. Critical infrastructure would include those whose disruption would cause mass death, evacuation or substantial damage to the national economy or security.
The department would establish performance requirements for covered infrastructure. Owners would have to certify compliance with these requirements annually, either through self-certification or through a third-party evaluation. Industries already regulated would remain under the authority of their regulating agencies and DHS would have no regulatory authority, although the department could seek civil penalties for owners not meeting requirements. The requirements would not be technology-specific.
DHS and the regulatory agencies would work with the intelligence community to ensure that real-time threat intelligence could be shared with infrastructure owners. Owners meeting performance requirements would be given liability protection for security incidents.
The FISMA reform would “provide a comprehensive framework for ensuring the effectiveness of information security controls” through “a focus on continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting.”
Under the bill, the term “continuous monitoring” means “the ongoing real-time or near real-time process used to determine if the complete set of planned, required and deployed security controls within an information system continue to be effective over time in light of rapidly changing information technology and threat development.”
DHS would be given FISMA oversight, and the department also would have complete access to all government system traffic and information upon certification that the access is needed for security purposes.