Senators revive cybersecurity bill, with changes
A group of US senators has revived stalled cybersecurity legislation by offering compromises to address civil liberties concerns, an effort quickly endorsed by President Barack Obama.
The new bill drew some support from Republican lawmakers amid a drive to pass legislation before the summer recess, but prospects for passage were unclear.
Lawmakers said they hope to bring the measure to the Senate floor in the upcoming week.
The bill aims to identify so-called “critical infrastructure,” including electric power and utility computer networks, and provide oversight to ensure these are secure from attacks.
The revised measure removed some parts of a bill passed in April in the House of Representatives that provoked controversy.
It calls for a National Cybersecurity Council to assess vulnerabilities and would create a voluntary system of reporting attacks that could be damaging to the nation.
In announcing the compromise, Senator Jay Rockefeller called it “a critical first step in our country’s response” to cybersecurity.
“We are moving forward in the spirit of compromise with an incentives-based voluntary approach because it is a crucial matter of public safety and national security that we do something now to ensure our most critical infrastructure is protected from cyber attacks,” said Rockefeller, a Democrat who heads the Senate Commerce Committee.
Independent Senator Joe Lieberman acknowledged that the new bill is weaker than earlier versions, but added: “we are going to try carrots instead of sticks as we begin to improve our cyber defenses.”
“If that doesn’t work, a future Congress will undoubtedly come back and adopt a more coercive system,” he said.
The bill creates no new regulators and provides no new authority for an agency to adopt new standards. But it would allow information-sharing among the private sector and the federal government to share threats, incidents, best practices and fixes.
It was endorsed by Republican Senator Susan Collins of Maine and Democrats Dianne Feinstein of California and Tom Carper of Delaware.
Obama, in a commentary in Friday’s edition of The Wall Street Journal, backed the new bill while repeating his pledge to veto “any bill that lacks strong privacy and civil liberties protections.”
“It doesn’t take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home,” Obama wrote.
“Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we’ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.”
Civil liberties and privacy groups, which rallied against the Cyber Intelligence Sharing and Protection Act passed by the House, gave a cautious welcome to the new effort.
Michelle Richardson of the American Civil Liberties Union said the new bill has “significant privacy amendments” but cautioned that there could efforts on the Senate floor to remove those protections.
“We will be carefully watching how this unfolds on the floor and will be calling on you to fight anti-privacy amendments and support ones that we expect will further limit the government’s authority,” she said.
Rainey Reitman and Lee Tien of the Electronic Frontier Foundation said in a blog post that “this new bill drastically improves upon the previous bill by addressing the most glaring privacy concerns,” but added: “we remain unpersuaded that any of the proposed cybersecurity measures are necessary and we still have concerns about certain sections of the bill.”
But James Lewis of the Center for Strategic and International Studies said that by watering down the bill, lawmakers had stripped out any real protection and left an essentially political bill.
Lewis said some politicians “want to pass legislation that has cybersecurity in the title before the election.”
In order to provide real protection, Lewis said, “you would need a commission to designate specific infrastructure, with mandatory rules, so that these places would secure their networks.”