Cybersecurity bill (CISPA): After House passage, what will Senate do?

Sen. John McCain is pushing a voluntary cybersecurity approach, while another CISPA-type bill would require companies like electric utilities to meet federal cybersecurity standards.

April 27, 2012

With Thursday’s passage of the Cyber Intelligence Sharing and Protection Act (CISPA) in the US House, the focus now turns to the Senate, where two starkly different visions of how to meet the cyberthreat are vying for support.

One is a voluntary cybersecurity approach put forward by Sen. John McCain (R) of Arizona and backed by seven Republican senators and several business groups. The other is a bill cosponsored by Sens. Joseph Lieberman (I) of Connecticut and Susan Collins (R) of Maine – and backed by the Obama administration. It would require "critical infrastructure" companies – like electric utilities – to meet federal cybersecurity standards.

Calling the cyberthreat today "a real and present danger to this country," Senator Lieberman warned in a February Senate hearing that the time has come to act, after three years of work on cybersecurity.

"We simply cannot allow this moment to slip away from us," he said. "We need to act now to defend America's cyberspace as a matter of national and economic security."

Cybersecurity experts are generally supportive of the Lieberman-Collins bill – except for the loopholes. Two dangerous loopholes in the proposed legislation, these experts say, are: (1) setting the threshold for federal oversight much too high and (2) leaving the information-technology industry and Internet service providers with no oversight at all.

The only companies that would have to meet federal standards under Lieberman-Collins are those whose operations, if disrupted, "would cause mass death" or "major damage to the economy, national security, or daily life."

That means many, if not most, crucial computer networks would not be covered – and that weakness would inevitably be targeted by cyberwarriors, says James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS) in Washington.

"No bill is better than a bad bill," Dr. Lewis says. "There's no question we're going to get a bill eventually. The only question is whether it will be before or after we're attacked."

Can Syria heal? For many, Step 1 is learning the difficult truth.

Both the Lieberman-Collins bill and the McCain legislation have received poor reviews from privacy advocates. Lieberman-Collins has some privacy safeguards: It would require companies to anonymize the information they send to the government and use information received back from government only for cybersecurity. But that’s not enough to satisfy the Center for Democracy and Technology.

"Lieberman-Collins needs some substantial improvements, but overall is better for privacy than is CISPA," writes Gregory Nojeim, senior counsel at the Center for Democracy and Technology in an e-mail interview.

A CDT analysis found both bills have broadly written provisions that would:

• Share private communications with the National Security Agency and other federal entities, or with any other federal agency designated by the Department of Homeland Security.

• Monitor private communications passing over the networks of companies and Internet service providers.

• Employ countermeasures against Internet traffic.

In an effort to smooth passage, one provision has already been removed from the Lieberman-Collins bill that critics claimed would have given the president a “kill switch” to essentially turn off the Internet.

Meanwhile, Senator McCain’s competing bill would not offer new regulations, but instead promote information sharing with the government by providing immunity protection from lawsuits, among other things.

“The only government actions allowed by our bill are to get information voluntarily from the private sector and to share information back,” McCain said at a press conference unveiling the bill last month. “We have no government monitoring, no government takeover of the Internet, and no government intrusions.”

The political dynamic now is such that Congress will be doing well if it can pass any cybersecurity legislation at all – even a watered-down bill that offers only incentives to private industry to adhere to higher cybersecurity, says Stewart Baker, a lawyer and former senior official at the National Security Agency and the Department of Homeland Security.

Senators are receiving a lot of pushback from companies saying they don't want the government setting up cybersecurity standards, Mr. Baker notes.

In one scenario, elements of the McCain bill will be folded into Lieberman-Collins, diluting it. If that bill then passes the Senate, it would go to a conference committee, where it could be further diluted.

But some say the McCain bill is already quickly losing support from its original backers – which could mean the Lieberman-Collins bill, undiluted, heads to a floor vote in May. That's a big “if” since lobbying groups for business interests are trying to derail Lieberman-Collins, several observers say.

The House bill passed by a vote of 248 to 168. It has provisions for sharing information but doesn't contain any federal cybersecurity standards.

All in all, the likelihood of strong federal requirements for cybersecurity at America's critical infrastructure companies – including the power grid – are very low, Baker says.

"Getting anything on this topic through Congress is going to be a very heavy lift," he says. "The House has made it clear they're not interested in federal standards. Senator McCain's bill does very little. I know there are negotiations. But all the political forces are conspiring to further water down the regulatory requirements."

In hopes of convincing lawmakers that cybersecurity legislation should be passed, the Obama administration last month staged a behind-closed-doors mock cyberattack for a group of 50 senators.

What would happen to New York City if the power grid succumbed to a cyberattack on a hot July day and was out for a long time? The senators found out, in a scenario not unlike the massive East Coast blackout in 2003.

Imagine apartment dwellers with no water. No lights. No working ATMs. No air conditioning. No elevators. In other words, none of the key features of modern civilization.

Cyber legislation would help avert such attacks, the senators were told by top administration officials including John Brennan, assistant to the president for homeland security; Gen. Keith Alexander, director of the National Security Agency; and Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff.

It was "very compelling," Senator Collins said as she left the demonstration, according to Bloomberg News. “It illustrated the problem and why legislation is desperately needed.”