How much cyber security is enough? Companies wary as Senate weighs bill.
The Senate on Monday takes up a cyber security bill affecting companies that own power systems, water facilities, and other critical infrastructure. Though new security standards would not be mandatory, the private sector remains cautious.
(Page 2 of 2)
But Lieberman and cosponsors of the bill struck back at the chamber in a letter Friday to Thomas Donohue, the chamber's chief executive officer. The senators said they were "baffled" that the business group would oppose "voluntary, incentives-based approach" to protecting critical infrastructure, The Hill blog reported Monday.Skip to next paragraph
Subscribe Today to the Monitor
"Given the cyberattacks that have affected the Chamber's own control over the information of its members, we would have hoped that you would have an appreciation for the threat to the national and economic security of our nation," the letter said.
The White House had sought mandatory cybersecurity measures, but says it will support Lieberman's compromise bill.
Even though compliance with cybersecurity measures would be voluntary for private-sector businesses, the bill may require more than a divided Congress can stomach. A cybersecurity bill that cleared the House of Representatives calls for improved information-sharing between the government and the private sector – but it includes no standards at all. Whatever emerges from the Senate must be reconciled with the House legislation before a final bill goes to President Obama.
Under the Cybersecurity Act compromise bill, unveiled late Thursday, operators of natural-gas pipelines, refineries, water supply systems, and other physical assets vital to modern life in the United States would voluntarily submit their computer networks to testing by the US Department of Homeland Security (DHS). In return, they would get protection from financial liability in the event of a devastating cyberattack.
Key to the revamped version of the Cybersecurity Act is a public-private partnership – a multiagency National Cybersecurity Council, chaired by the DHS secretary. It would assess risks and vulnerabilities, but it would also allow industry to recommend voluntary practices to deal with cyberthreats.
Standards would be reviewed, modified, or approved by the council. Industries could also show their systems to be secure through self-certification or third-party assessment. The companies would then be eligible for liability protection.
"We are going to try carrots instead of sticks as we begin to improve our cyber defenses," Lieberman said in a statement. "This compromise bill will depend on incentives rather than mandatory regulations to improve America's cybersecurity. If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system."
Some cybersecurity hawks, however, are shaking their heads, saying a voluntary Cybersecurity Act won't protect critical infrastructure – and they worry that Senate amendments this week will water it down even more.
"Congress knows there is a serious problem, knows that weak cybersecurity creates a new risk to national security for which we are unprepared, but the votes are not there for national security," James Lewis, a cybersecurity expert with the Center for Strategic and International Studies, a Washington think tank, wrote in an analysis. "The political solution in this case is to pass ineffective legislation and pretend it will work."