McCain cybersecurity bill aims for legal frameworks, updates, not structural changes

Tools

Rather than set up a distinct entity for cybersecurity information sharing, newly-introduced legislation in the Senate would leverage current federal "cybersecurity centers."

The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act of 2012, or SECURE IT Act (.pdf) (S.2151), introduced by Sen. John McCain (R-Ariz.) on March 1 notes that public- and private-sector information sharing is critical to strong cybersecurity.

Under the proposal, entities would disclose cyber threat information to a number of existing cybersecurity centers including the Defense Department's cyber crime center, the intelligence community's incident response center and the U.S. Cyber Command's joint operations center.

The legislation, which was cosponsored by seven other GOP senators, competes directly with the Cybersecurity Act of 2012 (S. 2105), which was introduced Feb. 14 by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine). The Lieberman-Collins bill would task the Homeland Security Department's national cybersecurity and communications integration center with facilitating information sharing among public- and private-sector entities.

Meanwhile, a proposal in the House would take another approach to information sharing by creating an industry-controlled, non-profit National Information Sharing Organization.

Overall, the McCain bill appears to be a more hands-off alternative to previously-introduced legislation in the House and Senate. The proposal would make cyber threat information sharing voluntary, with the exception of federal contractors that provide telecommunications or cybersecurity services to the federal government. This segment would be required to report to the government cyber threat information related to those services.

The legislation would encourage industry to voluntarily share threat information through antitrust exemptions and create liability protections so companies can more easily secure their networks in the event of a cyberattack. While introducing the legislation March 1, McCain said the legal framework provided by the SECURE IT Act is a key differentiator from other proposals.

"A primary objective of our bill is to enter into a cooperative information sharing relationship with the private sector, rather than an adversarial one rooted in prescriptive federal regulations used to dictate technological solutions to industry," said McCain.

"[It also] includes no government monitoring, no government take-overs of the Internet, and no government intrusions. There are plenty of laws that deal with those issues--this bill is not one of them," he added.

For the most part the bill emphasizes strengthening of current elements, rather than introduce radical changes. SECURE IT would make criminal statutes for cyber crimes more severe. According to a statement from McCain, it would update FISMA and keep the National Institute of Standards and Technology as a lead in disseminating security standards for the federal government.

Since McCain publicly slammed the Lieberman-Collin's bill and announced he would introduce a rival proposal, he has stressed that his proposal would not grant more authority to DHS. But many supporters of the Lieberman-Collins bill say such a hands-off approach simply won't bring about needed changes in the cybersecurity landscape.

In response to the newly introduced legislation, supporters of the Cybersecurity Act of 2012 said, McCain's proposal "does little to ensure that we improve the security of critical infrastructure," and expressed concern that the proposal would "displace DHS from the role it is already performing to help secure the federal government's own computer networks."

Critics have also focused on the role the Defense Department would play under McCain's bill; both DoD and DHS officials have emphasized that domestic cybersecurity is a civilian rather than military responsibility.

For more:
- download the bill from the Senate Commerce Committee website
- see a transcript of McCain's remarks while introducing the bill
- see the SECURE IT press release
- see the statement from Lieberman, Collins

Related Articles:
DHS takes the lead in Senate cybersecurity bill
DHS authority would increase under Lungren cybersec bill - UPDATED
Experts disagree on focus of cybersecurity legislation
Panel: Even the best cyber legislation won't fix security problems