Cybersecurity: Does Senate deal on legislation compromise defenses?

Cybersecurity hawks agreed to voluntary measures instead of government mandates. Privacy advocates are pleased, but others say compromise bill doesn't protect vital national assets. 

In a desperate bid to get a cybersecurity bill passed before Congress adjourns in August, Senate hawks seeking to protect vital national assets like the power grid blinked – offering up compromise legislation that substitutes voluntary measures for government mandates.

Under the compromise, unveiled late Thursday, operators of gas pipelines, refineries, water supply systems and other physical assets vital to modern life in the US would voluntarily submit their computer networks to testing by the Department of Homeland Security. In return, they would get protection from financial liability in case of a devastating cyberattack.

Key to the revamped version of the Cybersecurity Act is a public-private partnership – a multi-agency National Cybersecurity Council – chaired by the secretary of Homeland Security. It would assess risks and vulnerabilities, but allow industry to recommend voluntary practices to deal with cyberthreats.

Standards would be reviewed, modified or approved by the council. Industry could also show their systems to be secure through self-certification or third-party assessment. The companies would then be eligible for liability protection.

"We are going to try carrots instead of sticks as we begin to improve our cyberdefenses," Sen. Joe Lieberman (I) of Connecticut, a co-sponsor of the legislation, said in a statement. "This compromise bill will depend on incentives rather than mandatory regulations to improve America's cybersecurity. If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system."

While he acknowledged the bill previously introduced in February by himself and Sen. Susan Collins (R) of Maine "is stronger," Lieberman said the new "compromise will significantly strengthen the cybersecurity of the nation’s most critical infrastructure and with it our national and economic security."

But others said the compromise Cybersecurity Act – which is aimed at wooing votes away from an all-volunteer cybersecurity bill offered by Sen. John McCain – is now too weak to truly protect the nation's key computer networks, because it's voluntary.

"The best thing you can say about this new bill is that it doesn't do much harm – but it also doesn't make things any better," says James Lewis, a cybersecurity expert with the Center for Strategic and International Studies in Washington. "There are no new authorities and everything in the bill could already be done under an executive order."

The power grid near Albuquerque, N.M., provides power to Sandia National laboratory, which overseas nuclear weapons research, and Kirkland Air Force Base, which has advanced weapons. Both would go dark without the grid – as would the bulk of US military bases – making the grid a prime target. Will cybersecurity measures for such areas be voluntary or mandatory, Mr. Lewis wonders?

The only chance now to give the bill teeth, he says, is to amend it when it reaches the Senate floor to make it stronger, and add some mandates. But there will also be a big countervailing push to further dilute the compromise bill, he acknowledges.

"The problem is that the incentives the bill offers just aren't enough," he says. "If you sign up for this approach, then the Department of Homeland Security can inspect your networks. If you don't' sign up they can't. Why would anyone sign?"

Privacy advocates, however, cheered the updated bill, which includes retooled language on information sharing between private industry and government. The key, they said, was that information from private industry would be handled by civilian rather than military authorities.

"These new and revised provisions go a long way toward alleviating our concerns about the threats the cybersecurity legislation posed to our fundamental constitutional rights," Sharon Bradford Franklin, senior policy counsel at the Constitution Project, said in a statement. The Constitution Project is a cyberprivacy group based in Washington.

Information shared for cybersecurity reasons would be limited and could not be used for unrelated law enforcement or other purposes.

"The information-sharing provisions of this bill are now not only better than earlier versions offered in the Senate, but are vastly superior to those in the Cyber Intelligence Sharing and Protection Act (CISPA) passed earlier this year in the House," Ms. Bradford Franklin said.

A cybersecurity oped article by President Obama appeared on the Wall Street Journal online website a few hours after the compromise was unveiled. Some news reports took that to mean the White House backs the compromise bill – although there was no explicit statement about it in the article. Mr. Obama has previously staunchly supported the Cybersecurity Act's earlier mandatory approach.

"The American people deserve to know that companies running our critical infrastructure meet basic, commonsense cybersecurity standards, just as they already meet other security requirements," the president wrote. "It would be the height of irresponsibility to leave a digital backdoor wide open to our cyber adversaries."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.