How much cyber security is enough? Companies wary as Senate weighs bill.

The Senate on Monday takes up a cyber security bill affecting companies that own power systems, water facilities, and other critical infrastructure. Though new security standards would not be mandatory, the private sector remains cautious.

Cybersecurity legislation, stalled for months, is now moving forward in Congress, with the Senate poised to begin debate on whether the bill's voluntary standards for private industry will protect America from devastating cyberattacks or are still just too onerous.

The Cybersecurity Act, as originally proposed by Sens. Joseph Lieberman (I) of Connecticut and Susan Collins (R) of Maine, was full of requirements that the private companies who own nearly all the nation's power systems, water treatment facilities, communications networks, and other critical infrastructure comply with new federal standards.

But Senator Lieberman and company last week axed the mandatory federal oversight, acknowledging they didn't have the votes to push it through. The revised bill now rests on voluntary standards and incentives to spur companies to partner with the government in meeting them.

On that basis, the bill won a critical Senate procedural motion to proceed, 84 to 11, on July 26. Senate majority leader Harry Reid (D) of Nevada also promised at that time to include an open process for amendments.

“There’s plenty of room for changes,” Senator Reid said on the Senate floor that day. “Let’s have as many amendments as people feel appropriate.”

Many now expect a blizzard of amendments throughout the week. Businesses favor a different Senate bill, backed by Sen. John McCain (R) of Arizona, that's heavy on information-sharing and light on standards. Sen. Kay Bailey Hutchison (R) of Texas said last week she planned to put forward the entire McCain-backed Secure It Act plan as an amendment.

Sen. Al Franken (D) of Minnesota has said he will introduce amendments to strengthen privacy protections. Sen. Ron Wyden (D) of Oregon wants an amendment to require police to obtain a warrant before requesting location data from private cellphones or laptop computers. Business groups, including the US Chamber of Commerce, were also reportedly weighing whether to try to seek amendments to the Lieberman bill on grounds that the measure would mean too much information-sharing.

“While this sounds appealing on its face, a government-administered program would shift during the implementation phase from being standards based and flexible in concept to being overly prescriptive in practice,” Ann Beauchesne, the Chamber of Commerce’s vice president of national security and emergency preparedness, said in a statement, according to The Washington Post.

But Lieberman and cosponsors of the bill struck back at the chamber in a letter Friday to Thomas Donohue, the chamber's chief executive officer. The senators said they were "baffled" that the business group would oppose "voluntary, incentives-based approach" to protecting critical infrastructure, The Hill blog reported Monday.

"Given the cyberattacks that have affected the Chamber's own control over the information of its members, we would have hoped that you would have an appreciation for the threat to the national and economic security of our nation," the letter said.

The White House had sought mandatory cybersecurity measures, but says it will support Lieberman's compromise bill.

Even though compliance with cybersecurity measures would be voluntary for private-sector businesses, the bill may require more than a divided Congress can stomach. A cybersecurity bill that cleared the House of Representatives calls for improved information-sharing between the government and the private sector – but it includes no standards at all. Whatever emerges from the Senate must be reconciled with the House legislation before a final bill goes to President Obama.

Under the Cybersecurity Act compromise bill, unveiled late Thursday, operators of natural-gas pipelines, refineries, water supply systems, and other physical assets vital to modern life in the United States would voluntarily submit their computer networks to testing by the US Department of Homeland Security (DHS). In return, they would get protection from financial liability in the event of a devastating cyberattack.

Key to the revamped version of the Cybersecurity Act is a public-private partnership – a multiagency National Cybersecurity Council, chaired by the DHS secretary. It would assess risks and vulnerabilities, but it would also allow industry to recommend voluntary practices to deal with cyberthreats.

Standards would be reviewed, modified, or approved by the council. Industries could also show their systems to be secure through self-certification or third-party assessment. The companies would then be eligible for liability protection.

"We are going to try carrots instead of sticks as we begin to improve our cyber defenses," Lieberman said in a statement. "This compromise bill will depend on incentives rather than mandatory regulations to improve America's cybersecurity. If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system."

Some cybersecurity hawks, however, are shaking their heads, saying a voluntary Cybersecurity Act won't protect critical infrastructure – and they worry that Senate amendments this week will water it down even more.  

"Congress knows there is a serious problem, knows that weak cybersecurity creates a new risk to national security for which we are unprepared, but the votes are not there for national security," James Lewis, a cybersecurity expert with the Center for Strategic and International Studies, a Washington think tank, wrote in an analysis. "The political solution in this case is to pass ineffective legislation and pretend it will work."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to How much cyber security is enough? Companies wary as Senate weighs bill.
Read this article in
https://www.csmonitor.com/USA/Politics/2012/0730/How-much-cyber-security-is-enough-Companies-wary-as-Senate-weighs-bill
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe