In an otherwise divided Congress, there is clear, bipartisan support for upgrading America’s cybersecurity capabilities. BSA believes this is an urgent matter of national and economic security; it cannot wait to be addressed. We also believe lawmakers are making significant progress. A number of House and Senate bills are pointed in the right direction, so it is time to hammer out the remaining details and get legislation passed.
In January, BSA outlined a series of policy priorities for cybersecurity legislation. Since then, Senate Homeland Security Chairman Joe Lieberman (I-Conn.), Ranking Member Susan Collins (R-Maine), and Commerce Committee Chairman Jay Rockefeller (D-W.V.) introduced a robust bill, the Cybersecurity Act of 2012 (S.2105), which covers the most important bases, and Sens. John McCain (R-Ariz.), Saxby Chambliss (R-Ga.), Kay Bailey Hutchison (R-Texas), along with a group of other key Republicans, have introduced the Secure IT Act (2151), which covers much of the same ground.
The most obvious difference between the two Senate bills is that the Lieberman-Collins-Rockefeller package contains a specific section that aims to bolster security around critical infrastructure while the McCain-Chambliss-Hutchison alternative aims to improve critical infrastructure through its information-sharing provisions. This is an admittedly tricky issue. Lieberman, Collins, and Rockefeller believe critical infrastructure such as nuclear plants and water facilities would be a prime target in a cyber-9/11 scenario, so more federal involvement is warranted. McCain, Chambliss, and Hutchison fear that overregulation could end up undermining security with ineffective bureaucracy that slows down our abilities to react to real-time threat information and rapidly address vulnerabilities. They are pressing for more shared responsibility in the exchange of information between government and industry to protect critical infrastructure. The gap between the two bills is bridgeable, however. Indeed, Lieberman and McCain have directed their staffs to work on a compromise.
In the House, Energy and Commerce Committee Chairman Mary Bono Mack (R-Calif.) reportedly plans to introduce a bill similar to the McCain-Chambliss-Hutchison package — likely mirroring a forthcoming revision. Meanwhile, Rep. Mike Rogers (R-Mich.) has sponsored an information-sharing bill (H.R.3523) that already has cleared the Intelligence Committee, collecting nearly 90 cosponsors along the way. And Rep. Dan Lungren (R-Calif.) has a bill (H.R.3674) that promotes information sharing while also directing a review of existing security standards for critical infrastructure. More bills on other key issues are likely to follow.
It is especially heartening that all of the aforementioned Senate and House bills put improving information sharing front and center, because that issue is at the core of the cybersecurity problem. Entities in the private sector need incentives, liability protection, and as little red tape as possible to encourage them to share warning signs they detect about potential cyber threats so that suspected public and private-sector targets can be hardened and attacks can be averted. At the same time, it is important to signal that government, too, can do a better job of sharing real-time threat information with trusted entities in the private sector.
It also is encouraging that both of the leading Senate bills would improve the way federal agencies secure their IT systems by reforming the Federal Information Security Management Act of 2002 (FISMA). Both would boost research and development. And both would promote international standards and coordination, which is critical given the global nature of the Internet.
These many commonalities underscore that an opportunity for legislative compromise on cybersecurity is near at hand. Now is the time to seize it.