Senators Unveil Major Cybersecurity BillMeasure Would Update FISMA, Encourage Sharing of Cyberthreats
See Also: Demonstrate Federally Recognized Cybersecurity Practices Helping Protect Your Organization from Attack Are in Place
The Cybersecurity Act of 2012 has been a half decade in the making as threats against government and private IT systems intensify.
"Our nation's vulnerabilities have already been demonstrated by the daily attempts by nation-states, cybercriminals and hackers to penetrate our systems," Sen. Susan Collins, R-Maine, one of the bill's sponsors, said in a Senate speech. "The threat is not just to our national security, but also to our economic well-being."
Collins, ranking member of the Senate Homeland Security and Governmental Affairs Committee was joined by Committee Chairman Joseph Lieberman, ID-Conn.; Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va.; and Intelligence Committee Chairwoman Diane Feinstein, D-Calif., as chief sponsors of the bill.
The legislation would codify some of the authority the Obama administration has granted the Department of Homeland Security over federal civilian agency IT security and create the National Center for Cybersecurity and Communications within DHS, headed by a Senate-confirmed director, to coordinate federal efforts to battle cybersecurity threats facing the government and the nation's critical information infrastructure, the mostly privately owned networks that control the flow of money, energy, food, transportation and other vital resources that the economy needs to function.
The bill would amend the Federal Information Security Management Act to require the government to develop a comprehensive acquisition risk management strategy, moving away from a culture of compliance to one of security by giving DHS the authority to streamline agency reporting requirements and reduce paperwork through continuous monitoring and risk assessment.
Penetration testing through so-called red-team exercises would be emphasized under the bill's provisions as well as operational testing of systems to ensure agencies are aware of network vulnerabilities. The bill's sponsors say the legislation would also ensure agencies make informed decisions when purchasing IT products and services by directing the Office of Management and Budget to develop security requirements and best practices for federal IT contracts.
One of the more contentious parts of the bill is one that would establish a mechanism in which the owners of the national information infrastructure would help develop cybersecurity standards that they would need to follow.
'Regulation' Without Bite
DHS would assess the risk and vulnerabilities of critical infrastructure systems that threaten the nation's well-being to determine which networks should be required to meet a set of risk-based security standards. Operators of these systems who believe their systems are wrongly designated could appeal DHS's determination.
The bill calls for developing risk-based performance requirements, looking first to existing standards or industry practices. If a sector is sufficiently secured, no new performance requirements would be developed or required to be met. Under the bill, the owners of a covered system would determine how best to meet the performance requirements and then verify that it was meeting them. A third-party assessor could also be used to verify compliance, or an owner could choose to self-certify compliance. Current industry regulators such as the Securities and Exchange Commission for the banking industry would continue their oversight.
One group representing a segment of critical infrastructure owners, the Telecommunications Industry Association, liked the lack of stringent requirements in the bill: "Primary responsibility for the security of critical infrastructure should lie with the owners and operators of that infrastructure."
Some proponents of cybersecurity reform had sought tougher regulations to safeguard vital private networks but some lawmakers balked, and several Republicans threatened to offer their own version of the bill if Democratic leaders introduced a measure containing stricter regulations, according to one source familiar with the negotiations creating the bill.
Cybersecurity generally has been a bipartisan issue, but one area where Democrats and Republicans could diverge is on how much sway the government - and particularly DHS - has over regulating the owners of critical IT infrastructure on how to operate their networks. Some of the House cybersecurity bills call for incentives to persuade infrastructure owners to keep their networks secure.
Rep. Mac Thornberry, the Texas Republican who coordinates the House cybersecurity legislative initiatives, says he's encouraged by the Senate bill but notes differences exist. "Although there are some areas where we have differences of opinion, such as how to approach critical infrastructure and incentives, I am hopeful that we can find common ground and get something done by the end of the year."
Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, says Republicans might seek to weaken the standards' provisions further in the Senate bill. "The Republican senators don't have enough time to write their own bill, so I hear they'll take the Reid bill and remove all the verbs," says Lewis, referring to Senate Majority Leader Harry Reid, a champion of the bill.
No Internet Kill Switch
Authors of the legislation point out the bill does not contain anti-piracy provisions that scuttled the House's Stop Online Piracy Act and the Senate's Protect Intellectual Property Act, both withdrawn last month after an unexpected uproar by privacy advocates and others [see Are Anti-Piracy Laws Really Needed?]. Unlike an earlier version of the Cybersecurity Act [Senate Bill Eyes Cybersecurity Reform], the new bill does not include emergency authorities for the president to quarantine critical networks in event of a national emergency, powers critics characterized as an "Internet-kill switch."
The legislation also does not establish a special White House cybersecurity office, headed by a Senate-confirmed director, a position favored by the Commission on Cybersecurity for the 44th Presidency, a panel of top government, academic and industry IT security policy experts that made a series of cybersecurity recommendations to the new president in 2009. The Obama administration, while supporting many of the recommendations the panel sponsored by CSIS offered, opposed that provision.
Rep. Jim Langevin, D-R.I., House Cybersecurity Caucus co-chairman, prefers a Senate-confirmed White House cybersecurity director but says he could accept the position being situated in DHS. "This should play an essential role in making our currently disjointed cybersecurity policies more uniform and efficient across the government, saving taxpayer money and guaranteeing high quality defenses for our networks and the sensitive materials on them," he says.
The bill also would require information-sharing between and among the private sector and federal government to share threats, incidents, best practices and fixes while maintaining civil liberties and privacy.
"This bill would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation's enemies, organized criminal gangs and terrorists who would use the Internet against us as surely as they turned airliners into missiles," says Lieberman, who has been working on IT security legislation since the infancy of the Internet.
One name missing on the bill, at least as a primary sponsor, is Sen. Tom Carper, D-Del., who chairs a Senate subcommittee with IT security oversight and was a chief sponsor on the earlier version of the bill. Democratic leaders wanted only committee chairs - and in the case of the Homeland Security Committee, the ranking member - as sponsors. Still, Carper expressed enthusiasm about the revised legislation:
"The bill also includes an initiative that I have been pushing to invest in the next generation of American cyber experts by providing stronger cybersecurity training in our schools and universities," Carper says. "It provides for stronger research and development programs to help develop cutting-edge technologies here at home, keeping us one step ahead of our adversaries."