Senators attempt compromise cybersecurity bill

The chances of Congress passing a cybersecurity bill before the presidential campaign drowns everything else out are dimming, but a couple of senators are giving it a try anyway.

Sens. Sheldon Whitehouse (D-R.I.) and Jon Kyl (R-Ariz.) are circulating a draft bill that they hope will settle one of the major debates over competing legislative proposals: How heavy the hand of government should be in regulating industries that operate critical infrastructure. They are proposing incentives instead of mandates.

How much it matters if they succeed is another question. Senate Majority Leader Harry Reid took to the Senate floor Tuesday to say it matters very much. He cited a letter (PDF document) from a bipartisan group of former national security officials from both the Bush and Obama administrations, who wrote that the nation is at risk of being unprepared for, "'cyber 9/11,' (and) it is not a question of whether this will happen; it is a question of 'when.'"

[See also: Industry on Cybersecurity Act of 2012: Not so fast]

The group includes Michael Chertoff, former secretary of Homeland Security; Paul Wolfowitz, former deputy secretary of defense; Mike McConnell, former Navy vice admiral and director of the National Security Agency; General Michael Hayden; Retired General James Cartwright; and William Lynn III, another former secretary of defense.

In the letter, the group called the threat of a cyber attack "imminent." And they said it "represents the most serious challenge to our national security since the onset of the nuclear age 60 years ago."

Reid attacked Republicans for blocking a pending cybersecurity bill now in the Senate, backed by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), accusing them of not taking the threat of cyberattack seriously and failing to present any credible alternatives, and said he wants to pass a bill before the current Senate session expires at the end of the month.

But Joel Harding, a retired military intelligence officer and now information operations consultant expert and consultant, while he supports legislative action, said, "We cannot create this legislation quickly enough -- we needed it a decade ago. "

And even if something does pass, Harding said on the day it is signed into law that "it will be obsolete unless there is a new understanding, that legislation will consistently need to be updated to reflect rapidly changing technology and techniques."

Rainey Reitman, activism director for the Electronic Frontier Foundation, agrees with Harding.

EFF has objected strenuously to what it says is a lack of privacy protections in most of the pending proposals, and Reitman said she couldn't comment specifically on the Kyl-Whitehouse proposal, "because we haven't seen it."

"However, anytime the federal government is given the power to regulate technology, it creates the possibility that technology will outpace the government's ability to keep up," she said. "They have made efforts in the bill to address that concern, but it could be years before we really know whether they were successful."

Congress, of course, rarely operates quickly or proactively. The Hill reported last week on the Kyl-Whitehouse proposal -- another bipartisan effort, at least based on its sponsorship.

But the House already passed a bill April 26 -- the Cyber Intelligence Sharing and Protection Act (CISPA) -- that has been attacked for not having enough individual privacy protections, and President Obama has threatened to veto it. In the Senate, the Lieberman-Collins bill, called the Cybersecurity Act of 2012 (CSA), is stalled due to opposition from most Republicans because it gives the Department of Homeland Security (DHS) the power to mandate security standards for critical infrastructure systems.

Sen. John McCain (R-Ariz.) in particular has criticized the Lieberman-Collins bill, saying it would impose unnecessary burdens on businesses. And House GOP leaders have indicated they will not even allow a vote on any legislation that creates new mandates for cybersecurity.

The Kyl-Whitehouse proposal attempts to satisfy the mandate objection, by replacing the "stick" approach with a "carrot." Instead of mandates, it proposes a package of incentives to companies that comply with government security standards -- liability protections, preferential treatment in securing government funding and technical cybersecurity assistance.

But Reid, when he spoke on the Senate floor, was talking about the Lieberman-Collins bill, which he called "an excellent piece of legislation," and said he intended to move it to the floor before the end of the session.

And Lieberman, while he has called the Kyl-Whitehouse proposal "encouraging," hasn't signed on to it. Lieberman spokeswoman Leslie Phillips said it is too early to talk about the Kyl-Whitehouse proposal, since it is still in the form of a six-page draft. "It is still vague and there are still a lot of questions about it," Phillips said.

But she said Lieberman is still hopeful that "something will happen by the deadline."

Joel Harding said the reality is that since meeting government standards requires disclosure, "there may never be enough incentives to convince a company to disclose information that may harm their reputation, costing them current and possibly future business."

But he said: "[There] must be a certain amount of mandates, regulations, laws, call them what you want, to force companies to share their data with the government. Otherwise the government will not have the total picture and perhaps won't have the ability to stop or even prevent current and future problems."

Rainey Reitman said EFF remains "deeply concerned with the civil liberties implications."

"These issues need real solutions or we'll end up with information sharing provisions equivalent to the dangerous provisions in CISPA," she said. "I don't see how ameliorating the concerns of companies around critical infrastructure will address our worries about the privacy rights of Internet users."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

More about BushCSAEFFElectronic Frontier FoundationLeaderNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts