How much cyber security is enough? Companies wary as Senate weighs bill.

The Senate on Monday takes up a cyber security bill affecting companies that own power systems, water facilities, and other critical infrastructure. Though new security standards would not be mandatory, the private sector remains cautious.

July 30, 2012

Cybersecurity legislation, stalled for months, is now moving forward in Congress, with the Senate poised to begin debate on whether the bill's voluntary standards for private industry will protect America from devastating cyberattacks or are still just too onerous.

The Cybersecurity Act, as originally proposed by Sens. Joseph Lieberman (I) of Connecticut and Susan Collins (R) of Maine, was full of requirements that the private companies who own nearly all the nation's power systems, water treatment facilities, communications networks, and other critical infrastructure comply with new federal standards.

But Senator Lieberman and company last week axed the mandatory federal oversight, acknowledging they didn't have the votes to push it through. The revised bill now rests on voluntary standards and incentives to spur companies to partner with the government in meeting them.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

On that basis, the bill won a critical Senate procedural motion to proceed, 84 to 11, on July 26. Senate majority leader Harry Reid (D) of Nevada also promised at that time to include an open process for amendments.

“There’s plenty of room for changes,” Senator Reid said on the Senate floor that day. “Let’s have as many amendments as people feel appropriate.”

Many now expect a blizzard of amendments throughout the week. Businesses favor a different Senate bill, backed by Sen. John McCain (R) of Arizona, that's heavy on information-sharing and light on standards. Sen. Kay Bailey Hutchison (R) of Texas said last week she planned to put forward the entire McCain-backed Secure It Act plan as an amendment.

Sen. Al Franken (D) of Minnesota has said he will introduce amendments to strengthen privacy protections. Sen. Ron Wyden (D) of Oregon wants an amendment to require police to obtain a warrant before requesting location data from private cellphones or laptop computers. Business groups, including the US Chamber of Commerce, were also reportedly weighing whether to try to seek amendments to the Lieberman bill on grounds that the measure would mean too much information-sharing.

“While this sounds appealing on its face, a government-administered program would shift during the implementation phase from being standards based and flexible in concept to being overly prescriptive in practice,” Ann Beauchesne, the Chamber of Commerce’s vice president of national security and emergency preparedness, said in a statement, according to The Washington Post.

But Lieberman and cosponsors of the bill struck back at the chamber in a letter Friday to Thomas Donohue, the chamber's chief executive officer. The senators said they were "baffled" that the business group would oppose "voluntary, incentives-based approach" to protecting critical infrastructure, The Hill blog reported Monday.

"Given the cyberattacks that have affected the Chamber's own control over the information of its members, we would have hoped that you would have an appreciation for the threat to the national and economic security of our nation," the letter said.

The White House had sought mandatory cybersecurity measures, but says it will support Lieberman's compromise bill.

Even though compliance with cybersecurity measures would be voluntary for private-sector businesses, the bill may require more than a divided Congress can stomach. A cybersecurity bill that cleared the House of Representatives calls for improved information-sharing between the government and the private sector – but it includes no standards at all. Whatever emerges from the Senate must be reconciled with the House legislation before a final bill goes to President Obama.

Under the Cybersecurity Act compromise bill, unveiled late Thursday, operators of natural-gas pipelines, refineries, water supply systems, and other physical assets vital to modern life in the United States would voluntarily submit their computer networks to testing by the US Department of Homeland Security (DHS). In return, they would get protection from financial liability in the event of a devastating cyberattack.

Key to the revamped version of the Cybersecurity Act is a public-private partnership – a multiagency National Cybersecurity Council, chaired by the DHS secretary. It would assess risks and vulnerabilities, but it would also allow industry to recommend voluntary practices to deal with cyberthreats.

Standards would be reviewed, modified, or approved by the council. Industries could also show their systems to be secure through self-certification or third-party assessment. The companies would then be eligible for liability protection.

"We are going to try carrots instead of sticks as we begin to improve our cyber defenses," Lieberman said in a statement. "This compromise bill will depend on incentives rather than mandatory regulations to improve America's cybersecurity. If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system."

Some cybersecurity hawks, however, are shaking their heads, saying a voluntary Cybersecurity Act won't protect critical infrastructure – and they worry that Senate amendments this week will water it down even more.  

"Congress knows there is a serious problem, knows that weak cybersecurity creates a new risk to national security for which we are unprepared, but the votes are not there for national security," James Lewis, a cybersecurity expert with the Center for Strategic and International Studies, a Washington think tank, wrote in an analysis. "The political solution in this case is to pass ineffective legislation and pretend it will work."