A group of Republican senators on Thursday introduced cybersecurity legislation that they positioned as a far more limited alternative to the comprehensive, bipartisan bill introduced last month.
The so-called SECURE IT Act -- backed by eight ranking members on various Senate committees and subcommittees that claim jurisdiction over some aspect of cybersecurity -- would focus narrowly on provisions to facilitate the sharing of information about cyber threats, while avoiding the expanded regulatory oversight and compliance mandates provided for in the competing bill.
"The centerpiece of this legislation is a framework for voluntary information sharing," Sen. John McCain (R-Ariz.), the ranking member of the Armed Services Committee, said at a news conference announcing the bill. "In setting forth our information sharing framework we do not create any new bureaucracy. The goal is simple: to remove hurdles that prevent important information from being shared with the people who need it most."
McCain first signaled his intent to bring forward a GOP-backed bill last month at a hearing of the Homeland Security and Governmental Affairs Committee, on which he also serves. Joe Lieberman (I-Conn.), the chairman of that panel, along with Ranking Member Susan Collins (R-Maine) and two other Democrats had recently introduced their own bill, the Cybersecurity Act of 2012, that takes a far more sweeping approach, vesting the Department of Homeland Security with new authorities over private-sector networks, among other provisions.
McCain, a longtime critic of DHS, particularly in the context of cybersecurity oversight, blasted the Lieberman-Collins bill for expanding the regulatory authority of an agency that he has argued is struggling to fulfill its current mission.
The competing visions for cybersecurity reform both start from the consensus view that the status quo is insufficient to defend against the very real and dangerous threat of cyber attacks that could target critical infrastructure such as the systems that power electrical grids, financial exchanges or telecommunications networks. As a political matter, that starting point is no longer controversial.
"All of us understand the challenge, that we need to improve the current state of cybersecurity in this country," McCain said, citing a 2011 report (available in PDF format here) from the Government Accountability Office estimating that the volume of cyber attacks had increased 650 percent in the preceding five years. Even his 2008 presidential campaign operation came under attack by hackers, McCain said, "which means that they must have exhausted most of their other options." President Obama has said that his campaign was attacked as well.
Bill Differ on How to Share Information Both bills address the information sharing question, albeit with sharply contrasting approaches. Rather than create new federally administered cybersecurity exchanges for public and private entities to share information, as the Lieberman-Collins bill would, the GOP alternative bill would rely on existing centers such as the six facilities the National Security Agency maintains throughout the country, as well as U.S. Cyber Command, which is administered by the Defense Department and collocated with the NSA.
But the backers of the new bill emphasized the hands-off approach that their proposal takes, leaving all information sharing among the private sector completely voluntary, with the narrow exception that federal contractors that detect a threat pertaining to the work they are doing with a particular agency or department would have to notify that government body.
"More government is seldom the solution to any problem," said Sen. Saxby Chambliss, the vice chairman of the Select Committee on Intelligence and a co-sponsor of the SECURE IT Act. Chambliss highlighted the contrast between the two bills, noting that the GOP measure authorizes no new funding, adds no regulations or government mandates and does not add to the size of the federal government. "I have yet to hear any reasonable explanation of why more regulation and more government will make anybody safer. In fact, it's likely to have the opposite effect, and we need to encourage innovation and sharing information, not focus on complying with bureaucratic requirements."
The bill would provide a targeted antitrust exemption designed to encourage companies to share threat information with one another, even if they are competitors. It would also establish liability protections for private sector entities that secure their systems in the event of a cyber attack. Variations of those provisions are included in the Lieberman-Collins bill, though they are intertwined with the DHS authorities.
In addition to the core information sharing principles, the SECURE IT Act would enact reforms to the Federal Information Security Management Act, or FISMA, the statute mandating security requirements for the IT systems deployed by the federal government. It would also amend the Computer Fraud and Abuse Act to update criminal penalties for cyber crimes and reauthorize an existing federal program that supports IT research and development, placing an added emphasis on security and shoring up the supply chain.
The Lieberman-Collins bill also includes provisions for reforming FISMA and promoting cybersecurity research.
In longhand, the GOP bill is formally known as the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act, a convoluted title formulated to achieve the SECURE IT acronym. "I think I will fire the staffer that came up with that name," McCain quipped.
The other Republican committee and subcommittee leaders joining McCain and Chambliss as original cosponsors of the bill are Kay Bailey Hutchison (Texas), Chuck Grassley (Iowa), Lisa Murkowski (Alaska), Dan Coats (Ind.), Ron Johnson (Wis.) and Richard Burr (N.C.).
In a joint statement, Sens. Lieberman and Collins, along with their fellow co-sponsors Sens. John Rockefeller (D-W.A.) and Dianne Feinstein (D-Calif.), offered muted praise of their backers of the new bill for recognizing the severity of the cyber threat, saying "we are eager to work with them to bring comprehensive cybersecurity legislation to the Senator floor as soon as possible."
But in outlining their bill, the Republicans expressed little interest or hope for crafting a comprehensive framework. Their narrow focus on information sharing mirrors the approach that members of House of Representatives have taken, and the senators indicated that they had heard whispers of support for their proposal from some Democrats in the upper chamber. Hutchison, however, declined to name who those Democrats when asked by a reporter after the news conference.
The authors of the new legislation object to the Lieberman-Collins bill on grounds of both policy and process.
"Advancing legislation has been difficult," McCain said, noting seemingly intractable differences of opinion on which agency is best suited to take the lead in coordinating the security of civilian networks and the extent to which it should be involved, whether additional regulations are necessary, and how large any new programs should be and how they should be paid for.
"These questions and others have led to failure for the handful of broad, overly comprehensive proposals put before the Senate," McCain said. "Thus far those bills have been unable to gain the necessary support to pass the Senate, much less both chambers of Congress."
Senate Majority Leader Harry Reid (D-Nev.) has said that he plans to fast-track the Lieberman-Collins bill to the Senate floor for a debate, possibly as early as this month, bypassing the markup that would take place in committee, in this case a panel on which McCain serves. The Arizona Republican has been roundly critical of that procedural move, which spurred the GOP leaders to draft their own bill that McCain said he will offer as a substitute amendment when the Lieberman-Collins legislation comes to the floor.
The two sides offer conflicting accounts of the degree of inclusiveness the Democratic leadership has facilitated over the past couple years. Reid and Lieberman have both said that they reached across the aisle in the interest of crafting a comprehensive bill that would enjoy broad, bipartisan support, but that Republicans were unwilling to come to the table.
McCain, for his part, contends that he approached Reid months ago, asking for bipartisan talks that would include the ranking members of the committees backing the new bill, but that he was rebuffed.
"We wanted to sit down with him. It didn't happen," McCain said. "He can say that pigs fly, but it didn't happen."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about government in CIO's Government Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.