Legislation to address the issue of protecting the nation’s critical networks from attack will be on the agenda when Congress returns from the 4th of July recess. Senators have been divided between two versions of cybersecurity legislation, one proposed by Senate Republicans, the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act ("Secure IT"), and another by Senators Joe Lieberman (I-CT) and Susan Collins (R-ME) that has the backing of Senate Majority Leader Harry Reid (D-NV) and President Obama.
The House of Representatives passed their cybersecurity bill back in April. The House bill, the Cyber Intelligence Sharing and Protection Act of 2011 ("CISPA"), focuses on fostering information sharing between government and the private sector while exempting voluntarily-shared information from public disclosure and providing liability protections for private sector entities that engage in information sharing. Citing privacy concerns and concern that the bill doesn’t do enough to protect critical networks, President Obama has threatened to veto the House bill should it reach his desk.
Last Wednesday, Senate Republicans, in an effort to improve on several areas as well as enhance privacy protections, introduced a new version of the Secure IT Act. Privacy advocates had aired concerns that the previous version of the bill would give government agencies access to Americans’ private online information, and the new version aims to address those concerns by clarifying that the government cannot use or retain the information it receives for reasons other those specified in the bill. The new bill further tightens the definition of cyber threat information to provide stronger protections for consumers and clarifies the responsibilities of the cybersecurity centers to facilitate information sharing with each other and with other federal entities and the private sector. Senator Kay Bailey Hutchison (R-TX), one of the co-sponsors of the legislation, said in a statement that they worked closely with stakeholders over the past few months and believe that the measure is a "consensus bill that will significantly advance the security of our government and private sector networks.”
Senate Republicans have been at odds with the White House and Senate Democrats, in particular, over whether to give government the power to set mandatory standards for critical infrastructure, with Democrats arguing that any legislation must contain provisions to do so. The Lieberman-Collins bill would authorize the Department of Homeland Security (DHS) to set mandatory security standards for critical infrastructure, while the Republican bill focuses on information sharing over regulation. A bipartisan group of senators, including Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ), have drafted a bill that would pressure, but not force, companies to meet security standards in an effort to seek compromise between the two versions.
Majority Leader Reid has said he plans to bring the Lieberman-Collins bill to a vote this month. Any differences between the cybersecurity proposals that have been offered are likely to be worked out on the floor, in the form of amendments. Progress on passing comprehensive cybersecurity legislation could come just in time, as DHS reported this week that companies have seen a sharp rise in cybersecurity incidents over a three-year period.