Proposed Senate Cybersecurity Bill Circulates Off Hill
A proposal identified as combining cybersecurity bills introduced by Sens. Joe Lieberman, I-Conn., and Jay Rockefeller, D-W.Va., would give the president broad emergency powers over critical infrastructure in the event of a cyber emergency and make the Department of Homeland Security the lead civilian agency setting cybersecurity regulations for private industry. The 81-page proposal we obtained from an industry lobbyist is titled “HSGAC/Commerce Combined Draft” and labeled “Staff Draft-for discussion purposes only” and “Last revised 8/2/10, 4:15 p.m.” It would make the private sector “responsible for enhancing security of the nation’s most critical systems while the government ensures effective oversight and compliance,” said a summary provided with the draft. None of the Senate offices we contacted would comment on the proposal.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Title I of the proposal would establish a White House Office for Cyberspace Policy with a director appointed by the president and confirmed by the Senate. The director would act as a cyber czar, advising the president on all cyberspace-related matters. The director also would oversee and integrate federal efforts to secure cyberspace and develop a national cyberspace strategy incorporating military, law enforcement, intelligence and diplomatic efforts. Senate Majority Leader spokeswoman Regan Lachapelle also declined to comment other than repeating a comment from last week that Senate committees are working in a bipartisan manner and making progress.
Title II would establish a National Center for Cybersecurity and Communications at the Department of Homeland Security. The Center would be charged to detect, prevent, analyze and warn of cyber threats to civilian government systems and private sector infrastructure. It also would be the primary contact between the federal government, state and local governments, and private entities on the security of national information networks.
The center would direct a “robust” information sharing program about cyber threats and attacks with federal agencies, state and local government, and the private sector. It would be led by a director appointed by the president and confirmed by the Senate and would include the existing United States Computer Emergency Response Team. That team would provide continuous, automated monitoring of the federal information infrastructure at external Internet points. It also would warn federal agencies and private industry of threats, vulnerabilities and incidents affecting federal information infrastructure. The director would have broad powers to access and analyze law enforcement, intelligence, “and any other information” relevant to the security of the federal information infrastructure or private information infrastructure. The director would have to follow applicable laws on protecting trade secrets and individual privacy and civil liberty. Notably absent from the bill is language on federal and private cybersecurity supply chain management, although it compares language in the Commerce and Homeland Security bills.
Title III would empower the Department of Homeland Security to designate privately owned “covered critical infrastructure,” defined as a system that “if disrupted, would result in a national or regional catastrophe.” Owners and operators of designated critical infrastructure could appeal the designation within the department and would have the burden of showing an abuse of discretion by the Homeland Security secretary. The decision on appeal would be final and not subject to judicial review.
The department would establish risk-based security performance requirements for critical infrastructure within 270 days after enactment of the bill. Instead of mandating specific regulations they had to take, Homeland Security would allow private owners and operators to choose the security measures meeting these standards. The proposal doesn’t give tax incentives to owners and operators encouraging them to adopt cyber measures. Critical infrastructure would be assessed by third parties at least once a year to determine if it met security performance requirements. Homeland Security would provide civil penalties and be empowered to initiate enforcement actions for noncompliance.
Title III also would give the president the power to declare a cyber emergency if there was an actual or imminent threat “to disrupt the operation of the information infrastructure essential to the reliable operation of covered critical infrastructure.” In such an emergency the president could direct private owners and operators of critical infrastructure to implement responses. The president also could order critical infrastructure to take “such other emergency measures necessary to preserve the reliable operation, and mitigate the consequences of the potential disruption of the covered critical infrastructure.” The emergency measures would have to be the “least disruptive means feasible,” the bill said.
The president would have to inform Congress of the circumstances necessitating the emergency and the estimated scope and duration along with ordered measures. The declaration would expire after 30 days unless extended by the president and would require a joint resolution approved by both houses of Congress for extensions longer than 90 days. Emergency measures could not restrict or prohibit communications carried by critical infrastructure unless the National Center for Cybersecurity and Communication determined no other measure would preserve the national information infrastructure. The bill also specifically would forbid any federal entity from controlling covered critical infrastructure. It would protect from punitive damages or liability resulting from actions taken during an emergency.
A communications industry official who reviewed the proposal said it reveals a tension between a regulatory approach toward cybersecurity and a public-private partnership. There’s always been a tension between the Lieberman bill, emphasizing regulation, and the Rockefeller bill, the public-private approach, the official said. President Barack Obama hasn’t endorsed the regulatory approach of the Lieberman bill, the official said. That’s because of the constantly changing nature of cyberthreats, the official said. “Let’s say you took a best practice and turned it into a mandate,” the person said. “There are so many holes in that you could drive a train through it.” Those engineering attacks bring competencies in computer science, military strategy, high mathematics and game theory, the official said, citing secret briefings on cybersecurity threats shared by the administration. “It is the nature of the threat environment that is driving more of an interest with working with industry."
"To the credit of the Obama administration, they're willing to do it right instead of fast,” the official said. “Doing it right means understanding what the unintended consequences are. And the Lieberman bill’s consequences are the dismantling of the public-private partnership.”
Another problem is that cybersecurity cuts across the jurisdiction of many congressional committees, the official said. An omnibus cybersecurity bill requires resolving many tensions on turf, the official said, and can’t be done quickly. The official predicted that the Senate will not pass a cybersecurity bill before the election unless something unforeseen happens and that it will take longer than 2010 to pass.