Senators are responding to the onslaught of cyberattacks against public and private networks with the bipartisan Cybersecurity Act of 2012, introduced Feb. 14 by top members of the Senate Commerce, Intelligence, and Homeland Security Committees.
This comes on the heels of strong statements about the coming risks of cyberterrorism made by Director of National Intelligence James Clapper and FBI Director Robert Mueller, during the Worldwide Threat Assessment to the Senate Committee on Intelligence on Jan. 31.
Mueller stated, “down the road, the cyber threat, which cuts across all programs, will be the number one threat to the country.”
Comments around the new bill carry a similar tone. “This bill would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation’s enemies, organized criminal gangs, and terrorists who would use the Internet against us as surely as they turned airliners into guided missiles,” Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (ID-Conn.) said in a statement.
Lieberman introduced the bill alongside Commerce Committee Chairman Jay Rockefeller (D-W.Va.) and Select Intelligence Committee Chairman Dianne Feinstein (D-Calif.).
So far, the bill has only minor opposition. The same day it was introduced, seven Republican ranking members issued a public letter requesting the Senate Leadership to hold hearings on the bill “so that Senators can be properly educated on this complicated measure and the committees of jurisdiction can provide their necessary perspective before any measure is brought to the Senate floor for consideration.”
The members state that the bill “as drafted, does not satisfy our substantive concerns, nor does it satisfy our process concerns … This is not the kind of legislation that can result in a carefully balanced solution unless the full process is afforded.”
Still, the opposition is substantially less than that encountered by similar bills.
The Protecting Cyberspace as a National Assets Act of 2010 was shot down mainly over the “Internet kill switch,” allowing the president to shut off the Internet if national security demanded it—an ability already granted by the Communications Act of 1934. This was removed from a similar bill the following year, but it ran into other issues.
The key problem faced by cybersecurity legislation is that it often means dealing with security of public and private networks—including businesses and major facilities. This then touches on how much influence government should have over private enterprise, and, like the “Internet kill switch,” risks affecting digital rights.
According to the latest bill’s summary, “As the country increasingly relies upon the Internet to conduct business, the critical services upon which we rely have become increasingly vulnerable to cyber threats.”
“The destruction or exploitation of critical infrastructure through a cyber attack, whether a nuclear power plant, a region’s water supply, or a major financial market, could devastate the American economy, our national security, and our way of life,” it states.
The bill will “give the federal government and the private sector the tools necessary to protect our most critical infrastructure from growing cyber threats.”
It includes legislation from both the Commerce and Homeland Security Committees, and input from “companies and trade associations representing a large swath of the private sector, including the information technology, financial services, telecommunications, chemical, and energy sectors.”
It takes a few steps to not overstep the boundaries of the private sector. The bill requires the Secretary of Homeland Security to work with the private sector in identifying where cyber defense is most needed, and then work to secure the systems.
But, notably, “The bill would only cover the most critical systems and assets in a given sector, and only if they are not already being appropriately secured,” states the summary.
It adds that “Owners of ‘covered critical infrastructure’ would have the flexibility to meet the cybersecurity performance requirements in the manner they deem appropriate,” and it would “prohibit the government from regulating the design or development of information technology products.”