Reitinger: Cybersecurity bill applies 'light touch' to private sector regulation

Tools

Cybersecurity legislation proposed by the Obama administration seeks to take a "light touch" when regulating privately-owned critical infrastructure, said Philip Reitinger, deputy undersecretary for the Homeland Security Department National Protection and Programs Directorate. Reitinger is slated to leave government service June 3.

Speaking May 23 before the Senate Homeland Security and Governmental Affairs Committee, Reitinger added that the government would not, should the bill be enacted, stipulate particular cybersecurity technologies for adoption by operators of critical infrastructure.   

The bill would require a private-sector designed cybersecurity framework that includes performance standards and measures against which critical infrastructure operators would be regularly audited. Audit results--or high-level summaries of them--would be available to the public as a way of driving market activity, Reitinger added. Many critical infrastructure operators are regional monopolies, however, and Reitinger didn't address how market forces could exert behavioral influence when customers don't have a choice of changing providers.

The federal government would be required to take into account audit results when making procurement decisions, Reitinger added. "It is very much intended to be a light touch approach, but one that we believe over time will move the private sector and critical infrastructure in the right way," he said.

During the hearing, committee Chairman Joe Lieberman (I-Conn.) expressed concern that the bill doesn't include liability protection for companies taking potentially disruptive cybersecurity measures.

"This could unfortunately end up as a real obstacle, the failure to do something about liability, to the passage of the bill," he said.

Ranking member Susan Collins (R-Maine) also pressed administration officials to offer a revision to current law permitting the president to "cause the closing of any facility or station for wire communication and the removal therefrom of its apparatus and equipment," should the president officially declare that there exists a state or threat of war involving the United States. Collins cited the language as Section 706 of the Communications Act of 1934, although it shows up currently as Section 606 of US Code Title 47, Chapter 5.

The last time a sitting U.S. president signed a congressional declaration of war was after the bombing of Pearl Harbor; all subsequent war-like activity the United States has been involved in was initiated without such a declaration.

A cybersecurity bill introduced during the last session of Congress by Lieberman and Collins received criticism for permitting the president to shut down parts of the Internet during a cyber attack, a measure that quickly was dubbed a "kill switch." The senators argued at the time that their bill would restrain the presidential powers permitted under the Communications Act.

"Neither the committee nor the administration has sought or seeks any form of Internet kill switch," Reitinger said in response to Collins' pressing. "Clearly, if something significant were to happen, the American people would expect us to be able to respond...To that end, we would, if something significant happened, use the authorities that we bring to bear," he added.

For more:
- go to the hearing webpage (prepared testimonies and webcast available)

Related Articles:
White House unveils proposed cybersecurity legislation 
McKeon seeks to clarify DoD cyber war authority 
Private sector official condemns mandatory cybersecurity information sharing