DHS takes the lead in Senate cybersecurity bill

Tools

Newly-introduced cybersecurity legislation would task the Homeland Security Department's national cybersecurity and communications integration center with facilitating information sharing among public- and private-sector entities, rather than creating an industry-controlled, non-profit National Information Sharing Organization, as suggested by one proposal in the House.

Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Me.) introduced the Cybersecurity Act of 2012 (S. 2105) on Feb. 14. The proposed bill would also have DHS create a program for cybersecurity research and development, and stand up a process for designating high-priority critical infrastructure, assessing its risks and building a regulatory framework for setting and enforcing cybersecurity standards.

The bill says DHS should work with various industry groups and government agencies to set cybersecurity standards for covered critical infrastructure. Self-reporting would be the primary oversight mechanism and DHS would determine penalties for not meeting security standards.

It's generally believed that the Senate bill has more regulatory "teeth" than the House Homeland Security proposal, H.R. 3674 (.pdf), as far as incentives and penalties are concerned.

The Liberman-Collins bill deviates from previous cybersecurity legislation proposed by the duo by excluding the "kill switch" provision, which would have given the president authority to shut down portions of the Internet should there be "clear evidence" of a cyber attack by a foreign government. The bill would also add a continuous monitoring requirement to the Federal Information Security Management Act of 2002, which directs agency cybersecurity efforts.

During a Feb. 16 hearing of the Senate Homeland Security and Governmental Affairs Committee Sen. John McCain (R-Ariz.) criticized the Liberman-Collins bill, and announced he would soon introduce competing cybersecurity legislation that he claimed will be more pro-business and less regulatory.

McCain also promised his bill will authorize the National Security Agency to undertake real-time monitoring of the public Internet. The NSA and the Defense Department's Cyber Command are the "only institutions currently capable" of protecting U.S. networks against an attack, he said in his written testimony. In addition, the Arizona senator accused Senate Majority Leader Harry Reid (D-Nev.) of pushing the proposed legislation through too quickly.

"[It has] been placed on the calendar by the majority leader without a single markup or any executive business meeting by any committee of relevant jurisdiction," said McCain. "That's wrong."

Supporters of the bill argued that it has been under development since 2009 and parts of the legislation already went before the committee. But McCain said moving the bill to the Senate floor "because it has 'been around'" is "outrageous." Given that four committee members were not in the previous Congress, a previous Congress should not "supplant the necessary work on that bill," he said.

Cybersecurity Act of 2012 Co-Sponsor Sen. Jay Rockefeller (D-W.Va.) said McCain's suggestions that the process is not open or transparent enough are "patently false."

For more:
- see the THOMAS page for the proposed bill
- go to the hearing page (with prepared statements and archived video)

Related Articles:
DHS authority would increase under Lungren cybersec bill - UPDATED
Experts disagree on focus of cybersecurity legislation
Panel: Even the best cyber legislation won't fix security problems