White House Chides Alternate Cybersecurity Bill

McCain said the bill will end the current “stalemate” in the congressional cybersecurity debate by reducing barriers to sharing information about cyberthreats in a fiscally responsible way. “The goal is simple: To remove hurdles that prevent important information being shared with the people that need it most,” he said. “The other components of our bill are reforming the Federal Information Security Management Act (FISMA), updating our criminal code to reflect the threat that cybercriminals pose and focusing federal investments on cybersecurity research.”

The bill’s “half measures” are “not sufficient” to address the nation’s cybersecurity vulnerabilities,” White House spokeswoman Caitlin Hayden told us. “Legislation to address our national security needs must include tools for our government and private sector cybersecurity professionals to ensure the nation’s critical infrastructure is protected while preserving the privacy and civil liberties of our citizens,” she said. “Resorting to half measures, such as legislation that relies on corporations to share more information for their own benefit without strong privacy protections, is not sufficient to address our nation’s critical infrastructure vulnerabilities and therefore is not commensurate with the very real and urgent cyber threats we face.”

The primary difference between the SECURE IT Act and previously introduced S-2105 is that the new bill lacks any provisions or requirements to compel owners and operators of critical infrastructure to increase their cybersecurity protections. S-2105 authorizes the Homeland Security secretary to identify where private sector performance requirements are inadequate and develop new performance requirements for owners and operators of covered critical infrastructure (CD Feb 15 p9). Chambliss rebuked such an approach: “Now is not the time for Congress to be adding more government, more regulation, and more debt -- especially when it is far from clear that any of it will enhance our security.”

Contrary to S-2105 and the White House cybersecurity proposal, the SECURE IT Act also fails to designate the Department of Homeland Security (DHS) or any agency with the sole authority to respond to a national cybersecurity attack. McCain told us that the Department of Defense (DOD) and the National Security Agency (NSA) are better suited than DHS to protect the U.S. from cyberthreats. “We have the Cyber Command already, we have NSA, and [cybersecurity] is one of its highest priorities,” he said. “I would like to see the case made as to who should be the lead agency. I happen to feel that DOD and NSA [are]. But I'm not wedded to anything. I want to get this thing done.” DHS did not comment.

The authors of S-2105 are “encouraged" by their colleagues’ recognition that “we must act to address the increasingly sophisticated and dangerous attacks on our national infrastructure,” said a written statement from Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, I-Conn.; Ranking Member Susan Collins, R-Maine; Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va.; and Senate Intelligence Committee Chairman Dianne Feinstein, D-Calif. “We can no longer delay action on deciding how to deal with this critical issue and we are eager to work with them to bring comprehensive cyber security legislation to the Senate floor as soon as possible.”

McCain accused Democrats and Majority Leader Harry Reid, D-Nev., of failing to give Republican leaders an adequate opportunity to “hash out” a bipartisan bill. “I asked Senator Reid a long time ago: How about getting the ranking members and committee chairmen of the relevant committees together and let us try to hash that out? And he didn’t want to do it. To say that he invited us to anything [is false] … It didn’t happen.”

The SECURE IT Act offers liability protections and exemptions from antitrust laws to encourage voluntary disclosure of cyberthreats among private sector entities, the text said. It also requires federal contractors that provide electronic communication, remote computing or cybersecurity services to share cyberthreat information with the government. “Instead of the heavy hand of the government, our approach promotes information sharing and keeps the taxpayers’ wallets closed,” Grassley said.

USTelecom said it supported the SECURE IT Act because it does not create new bureaucracies or regulatory mandates that would “erode, rather than enhance, the ability of network providers to provide nimble and effective responses to cyber threats.” Cybersecurity “is a complex challenge, requiring a collective and collaborative effort from everyone in the Internet industry and government,” said Tim McKone, an AT&T executive vice president.

Section 103 encourages DHS and the NSA to pool their cyberthreat information in an undetermined cybersecurity center. The bill requires the director of national intelligence and the Defense secretary to consult with the heads of the “appropriate Federal departments or agencies,” to “facilitate and promote the immediate sharing of classified cyber threat information in the possession of the Federal government.” McCain dismissed accusations the bill increases government monitoring of domestic network systems. “The only government actions allowed by our bill are to get information voluntarily from the private sector and to share information back,” he said. “We have no government monitoring, we have no government takeover of the Internet and no government intrusions.”

The bill would “turn the military loose on the domestic civilian Internet,” said American Civil Liberties Union Legislative Counsel Michelle Richardson. “It has the potential to dwarf the Patriot Act and some of the other collection bills we've seen flourish over the past few years,” she said: This White House has been “crystal clear that the NSA needs to stay off the civilian Internet and we hope that Congress follows their lead."

"This is obviously a very thin line that we have to walk,” Chambliss said. “The privacy rights of either individuals or corporations [are] going to be shared only with respect to what those individuals or corporations want to be shared. Secondly, if they do come forward or have a contract with the government they have the right kind of immunity where they can feel free to share the information knowing that it’s not going to be shared with the general public in any way,” he said. “It is a very, very tricky line we have to walk.”

"There are provisions that allow for anonymity and protection of the systems that would be of a proprietary nature,” added Hutchison. Section 103 requires the heads of each federal agency that handles cybersecurity information to submit biennial privacy reports to Congress to detail the impact such information sharing could have on people’s privacy and civil liberties. McCain acknowledged concerns from privacy groups that the bill could encourage greater NSA and DOD monitoring of Americans’ Internet usage: “There is always that concern and we are going to have to make the case that they are not. But [NSA and DOD] are the most efficient.”

The SECURE IT Act encourages greater security for federal networks by directing the secretary of Homeland Security to carry out continuous monitoring of each agency’s threat assessment and security state. It mirrors the Cyber Crime Protection Security Act (S-2111) by updating the federal racketeering statute to include cybercrimes and enhancing the penalty structure under the Computer Fraud and Abuse Act (CFAA). The bill provides for more information technology research and development, with an emphasis on bolstering cybersecurity and supply chain security. It directs the National Science Foundation to use existing funds to increase cybersecurity scholarship and training programs at federal and state levels.

The provision amending the CFAA is “mostly window dressing” because law enforcement lacks the capabilities to catch many of the cyberattackers that have created the current crisis, former DHS Assistant Secretary Stewart Baker said. The provision that adds CFAA offenses to the list of Racketeer Influenced and Corrupt Organizations Act violations creates a “vague and open-ended new private cause of action,” he said. This would allow tort lawyers “to seek treble damages for things like violating the terms of use on a website,” he said. “That doesn’t seem like a very Republican thing to do.”