Update on Cybersecurity Legislative EffortsMarch 6, 2012
On February 14, 2012, the Senate Homeland Security and Governmental Affairs Committee introduced S. 2105, the long-awaited Cybersecurity Act of 2012 (Cybersecurity Act). Yet, despite efforts to build bi-partisan support for the bill, S. 2105 met immediate opposition from a group of Republican senators, including John McCain, and industry groups, like the US Chamber of Commerce. Objections have centered on a provision in the bill that would create a new regulatory scheme, administered by the Department of Homeland Security (DHS), to protect critical infrastructure. With those senators having now, on March 1, 2012, introduced their own bill, and a number of other proposals being considered in the House of Representatives, the fate and likely content of any cybersecurity legislation passed this year will depend on the prospects for bipartisan negotiation and compromise. Congressional sources suggest that a compromise is within reach, which could make cybersecurity one of the rare election year issues that transcends party politics.
An Effort to Achieve Bi-Partisan Support
Cybersecurity legislation has been a topic of interest on Capitol Hill for a number of years now: Senators Joseph Lieberman and Susan Collins introduced bills in both this and the previous Congress; the Obama Administration made its own proposal last May; and the House Republicans, through a task force led by Representative Mac Thornberry, have also made recommendations. The Cybersecurity Act, which is the product of a bi-partisan task force established by Majority Leader Harry Reid’s office, represents a compromise among various legislative proposals and an attempt to address the concerns of the IT industry. It includes proposals, inter alia, to reform the Federal Information Security Management Act (FISMA), promote cyberthreat information sharing between the private sector and the government, strengthen research and development on cybersecurity technology, and develop the cybersecurity workforce.
Most controversially, the bill proposes to establish a regulatory scheme, managed by DHS, aimed at protecting critical infrastructure (e.g., the electric grid, oil refineries, and financial institutions) from cyberattack. Under this proposal, DHS would be responsible for designating particular systems or assets as “covered critical infrastructure” and then establishing cybersecurity performance standards that infrastructure owners would be responsible for meeting. Majority Leader Reid has announced his intention to fast-track the bill to the Senate floor for a vote early this year.
Concerns About Regulation
The primary criticism of the bill by its opponents is that it will impose an entirely new category of regulation on private businesses in a number of industries. In an op-ed piece published on Politico.com in late January, Senator Kay Bailey Hutchinson, along with three other Republican senators, raised concerns about “heavy-handed, costly regulation and further expansion of government bureaucracy.” The Chamber of Commerce has similarly raised concerns that, in the words of former DHS Secretary Tom Ridge, who testified for the Chamber, “[n]ew compliance mandates would drive up costs and misallocate business resources without necessarily increasing security.”
There have also been questions raised about DHS’s role as a cybersecurity regulator. Senator McCain, in his opening statement at a February 16 hearing on the bill, questioned DHS’s readiness to fulfill the mandate given to it by S. 2105 and complained that the bill “neglects to afford the authorities necessary to protect the homeland to the only institutions currently capable of doing so, US Cybercommand and the National Security Agency (NSA).” McCain further asserted that “the best government-wide cybersecurity approach is one where DHS leverages, not duplicates DoD efforts and expertise.”
Agreement on a Problem, but Competing Solutions
Critics of S. 2105, including McCain, have, as of March 1, introduced their own bill, the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act of 2012. As expected, the bill does not include provisions for regulation of critical infrastructure. Instead, it relies primarily on voluntary information sharing, which the bill seeks to promote by removing legal barriers to private entities sharing cyberthreat information with the government or among themselves and by creating protections for such information once it is shared with the government. Notably, the bill designates existing bodies at a number of agencies (e.g., Department of Defense, NSA, FBI) as “cybersecurity centers” that can receive this information and does not, like S. 2105, give the Secretary of Homeland Security authority to select a single, centralized repository. The bill does, however, require government contractors in the areas of electronic communications, remote computing, and cybersecurity services to share cyber threat information that is directly related to their government contracts.
SECURE IT also contains provisions aimed at: (1) revising criminal laws related to cybercrimes, in particular, the Computer Fraud and Abuse Act; (2) reforming FISMA; and (3) promoting research and development on cybersecurity. There are already indications that the US Chamber of Commerce intends to endorse this bill.
There are also a number of smaller Republican cybersecurity bills on the table in the House. Representative Daniel Lungren’s Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (PRECISE Act), H.R. 3674, has been reported by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies for consideration by the full committee. It contains a cyberthreat information sharing provision as well, though it would create an independent non-profit to act as a clearinghouse for shared information. In contrast to SECURE IT, the PRECISE Act also includes regulation of critical infrastructure, but the bill would rely on DHS only to determine performance standards and then rely on other government agencies to incorporate those standards into existing regulatory schemes—a lighter touch than S. 2105. Another example is the Cyber Intelligence Sharing and Protection Act, H.R. 3523, being considered by the House Permanent Select Committee on Intelligence, which is more narrowly focused, removing legal barriers to cyberthreat information sharing among the private sector and government.
Meanwhile, Majority Leader Reid plans to bring some form of the legislation to the floor for a vote in the coming weeks. All sides appear to agree that something needs to be done to improve cybersecurity in the United States, and the introduction of PROTECT IT sets the stage for negotiations. There appears to be consensus on the need, at least, to address information sharing, FISMA reform, and cybersecurity R&D. There also remains a strong possibility that the senators will agree to allow through some form of regulation to protect critical infrastructure. But, based on the dynamic state of play, it remains unclear what exact form the bill will take when it comes to the floor and what amendments may be required. Nonetheless, the bill’s chief proponents remain hopeful that a compromise can be reached and a final bill will be sent to the President.
We will continue monitoring this legislation. For further information, contact: Stewart Baker at 202.429.6202, Michael Vatis at 212.506.3927, Doug Kantor at 202.429.3775, Rich Verma at 202.429.6452, or Teddy Nemeroff at 202.429.3761 in our Washington, DC office.