Sens. Joe Lieberman (I-Conn.), chairman of the
Senate Homeland Security Committee, and ranking member Susan Collins (R-Maine)
said in an interview this week that government network protection requirements
on critical infrastructure providers [cable and telcos are likely chief among
those] were a necessary part of crucial cybersecurity legislation.
Many
Hill Republicans on both sides of the aisle have concerns about mandates, but
Collins is not one of them.
The
two were being interviewed for C-SPAN's Communicators series
about their version of cybersecurity legislation.
That
Senate bill, the Cyber-security Act of 2012 (S. 2105), would require the
Department of Homeland Security to come up with network cybersecurity
performance requirements that industry would have to meet. Lieberman
pointed out the bill is primarily targeted to industry, rather than government,
whose Web sites he said are in "much better shape" in terms of their
defenses. Though he conceded they are still attacked and there is still work to
do in that sector as well.
There
were 3 billion cyber attacks on government and industry, said Collins, which is
why legislation, and private sector standards, are needed. She said the bill
was carefully crafted and pointed out industry will be involved in coming up
with the performance-based standards that would have to be met. She also
pointed out that industries already meeting those standards would be exempt
from the legislation.
Lieberman
said current law does not do much to protect Web sites, and that passing this
bill is the most important thing Congress can do this year to protect the
nation's security, economic and otherwise. He called the Web a "Wild
West" before the sheriff came to town, and said the director of the FBI
had told him that cyberattack would soon supplant terrorism as his and the
country's most serious threat to homeland security.
"At
some point, the federal government has got to be able to say to a private
business that owns critical infrastructure that we all depend on, that an enemy
might attack: 'You've got to meet this standard of defending yourself and
defending our country."
He
said that currently, some companies do it. He says the bill sets a
"light" standard that it is up to those companies to decide how they
meet it. In the bill, DHS would get together with industry to set that
standard. He called those standards the "point of truth" in the bill.
He pointed out the other Senate bill -- introduced by Republicans led by Sen.
John McCain (R-Ariz.), does not do that,
and thus "does not get the job done." Collins echoed that those
standards were a key part of their bill.
The
Republican-backed bill, The Strengthening and Enhancing Cybersecurity by Using
Research, Education, Information, and Technology, or SECURE IT Act, focuses on
industry efforts and information sharing between stakeholders and government,
including insulating industry from liability for sharing that information.
Cable
operators and other network providers are concerned about any mandates. At a
House Energy & Commerce Committee hearing on cybersecurity earlier this
week, Comcast and AT&T engineers warned that mandates would reduce
industry's flexibility to respond creatively and in real time to attacks, and
would have folks who should be coming up with those responses filling out
government paperwork and checking boxes when they should be focusing on
defending their, and the countries', infrastructure, which they point out is intheir own self-interest.
House
Republicans at the hearing signaled they, too, had concerns about mandates and
checklists.
Collins
said that there was nothing in the bill that stifles innovative responses.
"I would argue that it will encourage companies to try new approaches and
develop new security measures."
Collins
pointed out that their bill also encourages more communications and threat
information sharing between stakeholders, but that by itself that was not
sufficient. She says the bill sets the bar "very high" for the
definition of critical infrastructure that would trigger the performance
requirements, including "mass casualties" and "sever economic
damage," though given the rise of broadband-delivered health and emergency
information, including migrating 911 and emergency communications among first
responders to broadband, as the country is doing, would appear to include major
ISPS like Comcast or AT&T in that definition.
"It
is not like we are trying to sweep in everything," she said.
Lieberman
said Sen. McCain was off base when he called the bill a "bureaucratic
leviathan." Lieberman echoed Collins that there was plenty of industry
input, with a lot of room for voluntary compliance. He says this is not
overregulation of business, but instead a public safety law that will protect
American businesses from being hacked attacked and stolen from. He asked if it
is overregulation to ask a developer to meet certain safety standards, and
answered his own question by saying such standards were needed in building the
nation's cyberstructure. Collins said the alternative bill would leave the
nation vulnerable to "huge threats."
"If
we adjourn without taking action on cybersecurity," said Collins,
"shame on us." But Lieberman said he could not support the Senate
Republican version because it was "simply inadequate." He said most
parts of both bills were negotiable, including criminal penalties, but that
performance standards are not.
Lieberman
said he was not sure when his bill would get to the floor. But he pointed out
that Senate Majority Leader Harry Reid (D-Nev.) has made it a priority and
signaled it may come to the floor by the end of this month. If not, he expected
it would by the middle of April following the Easter/Passover break.
