Senate Homeland’s Cybersecurity Bill in ‘Final Rounds,’ Aide Says
The “final rounds of negotiation” over a cybersecurity bill are taking place between Senate Homeland Security & Governmental Affairs Chairman Joe Lieberman, I-Conn., and Ranking Member Susan Collins, R-Maine, an aide to the committee told lawyers Monday. It would follow the Senate Commerce Committee’s Cybersecurity Act (S-773), which was approved by Commerce in March after industry criticized what was called a kill-switch provision, which was dropped. Aides faced a more docile audience at an American Bar Association discussion in Washington than they had at a federal information security board last month (WID April 12 p3).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The Senate Homeland bill will “elevate and strengthen” the authority and responsibilities of the Department of Homeland Security, the lead agency for protecting the .gov and .com networks, and the Office of Management and Budget, which oversees Federal Information Security Management Act (FISMA) compliance, said Deborah Parkinson, a professional staff member. The committee plans soon to circulate a bill to industry and other interests that includes a requirement for a Senate-confirmed White House cyberczar as well, to institutionalize the job now held by Howard Schmidt. Staff is working to incorporate a FISMA overhaul bill (S-921) by Federal Financial Management Subcommittee Chairman Thomas Carper, D-Del., Parkinson said.
Crucially, “critical infrastructure” will be narrowly defined, to avoid burdensome regulations on the broad swath of facilities that fall under DHS’s National Infrastructure Protection Plan, Parkinson said. The “risk-based” approach will cover “the most critical infrastructure,” such as the communications networks necessary for infrastructure to function and facilities whose failure would have “catastrophic consequences,” she said. The bill includes “more robust language” than the committee would otherwise use on information sharing between agencies and industry, because communications between them have been poor.
Cybersecurity “rocketed up the charts” on the Senate Intelligence Committee’s agenda in the past few years, said Sameer Bhalotra, a professional staff member. He emphasized the unusual amount of coordination among committees on the subject. Intelligence has held three closed cybersecurity hearings this year and is reviewing three studies by its technical advisory group. Hill staffers with cyber portfolios gather monthly for “Cyber Jam” meetings, and officials with cyberduties could swell under bills such as one creating a cybercoordinator at the State Department (WID April 13 p5), Bhalotra said. “There is a lot of momentum on the Hill” and “serious outreach” to businesses, he said. “This is not a political ploy."
But staffers need outside lawyers’ help to filter the proposals, because legal analysis has been “lagging,” Bhalotra said. Much information about the planned Einstein 3 system -- which is a year behind schedule (WID April 16 p3) and will add intrusion prevention capabilities to the government’s network monitoring tool -- has been declassified and posted at WhiteHouse.gov, he said: “We're in largely uncharted territory” on the legal framework for screening Internet data. Bhalotra asked lawyers to review the Justice Department Office of Legal Counsel’s memo on Einstein 2 as well.
An emerging area of controversy is offensive cyber operations by agencies, first seriously broached in confirmation hearings last month for National Security Agency Director Keith Alexander to lead the military’s new Cyber Command as well, Bhalotra said. The legal framework is “very murky,” he said. Regulatory authority under bills could be fractured by industry, such as power companies with the Federal Energy Regulatory Commission and ISPs with the FCC, he said. A bright spot is the data-breach notification bill that cleared the Senate Judiciary Committee (WID Nov 6 p3), which will help the government become “more data-driven” about cyberattacks and less reliant on “anecdotes."
"We're seeing a real transformation of the model” for national security, said Bruce Andrews, general counsel for the Commerce Committee. Industry must take a leading role in cyberdefense, and renewed public-private partnerships are a crucial component of S-773, which also focuses on critical infrastructure, he said. “We don’t want to be a speed bump to innovation” but to spur market forces to develop better security, and to clarify presidential authorities over networks during an emergency, which were last explicitly laid out in the 1934 Communications Act, Andrews said, blaming the “blogosphere” for misinterpreting one bill provision as a presidential kill-switch. The government must “develop, implement and rehearse” for a cyberattack in the same way a think tank organized ex-officials for the Cyber ShockWave exercise this winter (WID Feb 17 p1), Andrews said. The Senate Commerce bill sets up a collaborative process for identifying critical infrastructure, because “you don’t want to overuse that term” and treat all facilities the same, Andrews said. Designation would be done through an Administrative Procedure Act rulemaking.
The sector coordinating councils that work with DHS to protect critical infrastructure, which feature participation from about 50 companies, are mentioned several times in the Senate Commerce bill, said Michael Aisenberg, co-chairman of the ABA’s Information Security Committee. He asked how to get broader participation from what he called 14,000 companies with some hand in critical infrastructure. That would be hard to legislate, Parkinson said, because a lot of work goes into the councils and committees are wary of “obliterating the process.” Committees don’t want to “micro-manage” private sector work but welcome broad participation, Andrews said.
Several other bills have “definite implications” for cybersecurity though they focus on other subjects, said Prudence Parks, a lobbyist for the Utilities Telecom Council. Grid security, for example, is covered in Senate Energy and House Commerce bills, and her group has “grave concerns” about the public listing of critical-infrastructure licensing information in the Senate Commerce spectrum-inventory bill, Parks said, asking how the other bills “mesh” with the cybersecurity bills. Parkinson said there’s a good chance that several bills that have “inconsistencies” with the major cybersecurity bills wouldn’t pass on their own, but would be incorporated into larger bills, and problematic provisions would be weeded out. “Sometimes we all sort of duke that out” among staffers on different committees, she said. Bhalotra said “crossover members” who serve on multiple relevant committees can serve as the “natural point people” to ensure the bills don’t contradict each other.