Battle lines over new Senate legislation to defend the country against cyberattacks are forming on the issue of regulation, with some experts testifying on Thursday that the bill goes too easy on industry and others saying it is too tough.
The 207-page bill introduced this week would cover only those critical systems that the department secretary determines could lead to “mass” casualties, catastrophic economic damage or “severe degradation” of national security.
Software companies, for instance, would not be covered. Those that are would have to meet security requirements set by the secretary and the companies. The bill also allows for the two-way sharing of technical threat data between the government and the private sector.
“This bill includes significant loopholes that would keep our nation at risk,” said James A. Lewis, a cyber-expert with the Center for Strategic and International Studies, referring to software and other companies not covered.
Using a mass-casualty test to decide who gets regulated is unwise, said Stewart A. Baker, a former senior Department of Homeland Security policy official and former National Security Agency general counsel. “So an individual infrastructure owner, such as a rural electricity provider, has no responsibility under this title if it can show that an undefended cyberattack would only cause an ordinary number of fatalities?” he asked. “How many dead Americans is that exactly?”
But former Homeland Security Secretary Tom Ridge testified that the bill threatens to create ”highly rigid” regulation counterproductive to security. Ridge is now chairman of the U.S. Chamber of Commerce National Security Task Force. “Requirements are prescriptions,” he said. “Prescriptions are mandates. Mandates are regulation. And frankly, the attackers and the technology move a lot faster than any regulatory body or political body can move.”
The legislation was the result of three years of work involving at least seven committees, countless meetings with industry, administration officials and privacy advocates, said the committee chairman, Sen. Joseph I. Lieberman (I-Conn.), and ranking member, Sen. Susan Collins (R-Maine), two of the bill’s co-sponsors.
But key Republicans are objecting to the draft bill on procedural grounds, arguing it was not vetted through enough oversight committees.
“Rather than rush into a massive bill that could have unintended consequences … the American people would be better served by holding hearings and a markup so that members of both parties can make informed decisions about cybersecurity legislation,” Senate Republican Leader Mitch McConnell (Ky.) said this week in a statement.
But Sen. John D. Rockefeller IV (D-W Va.), the Commerce Committee chairman and a bill cosponsor, testified at the hearing that “any suggestion that this process has been anything but open and transparent is patently false.” He said that “the bill reflects input of senators on both sides of the aisle.”
Democratic aides said Senate Majority Leader Harry M. Reid (D-Nev.) still intends to bring the bill to the floor during the second work period of the year, which ends April 30. He has said he wants an open debate with opportunity to amend the bill.
Sen. John McCain (R-Ariz.) said at the hearing that because of the “hurried process” and concerns that the bill would turn DHS into a “super regulator,” he and several other senators were introducing an alternative cyber-bill in coming days.
Lieberman expressed displeasure, but said he hoped that McCain and his colleagues “will be engaged now” in the debate. He urged action to avoid a cyber-version of the 2001 terrorist attacks.
“To me it feels like it is Sept. 10, 2001,” he said. “The system is blinking red — again. Yet, we are failing to connect the dots — again.”