April 6, 2010


Tim Starks, CQ Today Online News, 04/06/2010

After an outcry by industry forced nearly a year’s worth of alterations to his original cybersecurity bill, Senate Commerce Chairman John D. Rockefeller IV has proposed revised legislation that appears to strike a more palatable balance between government pressure and private-sector incentives.
But that does not mean the overhauled measure (S 773) unveiled Wednesday by Rockefeller, D-W.Va., and Olympia J. Snowe, R-Maine, is likely to become law this year. The Commerce, Science and Transportation Committee has scheduled a markup of the bill for March 24, but the 2010 elections, the packed legislative schedule, the multidimensional nature of the cybersecurity issue and a more piecemeal approach in the House make its path to passage quite difficult.

Still, the measure drew praise from advocates of stricter regulation and from industry organizations that had blasted earlier drafts of the bill, first introduced last spring, as too punitive to businesses.

Those drafts were non-starters for the Internet Security Alliance, but it can work with this version, said Larry Clinton, president of the industry group.
“I think they are absolutely moving in the right direction,” he said. “I don’t believe it’s perfect, and I don’t think they believe it’s perfect, either.”
James Lewis, a senior fellow at the Center for Strategic and International Studies, said he thought the new bill struck the right balance. In testimony at a recent Commerce hearing, he had noted that some businesses would not shore up their cyberdefenses unless forced to do so.

“They’ve amended it pretty significantly without watering it down,” he said Wednesday. “The core is still there: to make people meet a higher standard.”
An earlier version of the Rockefeller-Snowe legislation would have established enforceable cybersecurity standards, although the senators said the first draft was meant to initiate discussion.

The new bill would instead require the executive branch to collaborate with the private sector on developing standards and mandate audits of how those standards were being met.

Incentives for complying with the standards would include public recognition similar to the Energy Star program, and companies that fail their audits would be forced to work with the government and other businesses to devise a plan to get into compliance.

The new bill also would eliminate a “kill switch” provision that critics said would allow the president to shut down segments of cyberspace during a cyber-attack. The government and the private sector would instead work together to plan emergency responses.

A new provision would grant security clearances to key industry officials so they could receive threat information. The bill would also maintain many earlier provisions, including the creation of a cybersecurity scholarship program.

Heightened Urgency

The bill is one of many that reflects Congress’ “heightened energy” around cybersecurity, said Liesyl Franz, vice president of TechAmerica, a technology industry advocacy group.

In a statement, Rockefeller sounded an urgent note about the need for the bill: “The networks that American families and businesses rely on for basic day-to-day activities are being hacked and attacked every day. At this very moment, sophisticated cyber-enemies are trying to steal our identities, our money, our business innovations and our national security secrets.”

Franz, whose group is still examining the bill, considers it an improvement. She cited recent House passage of data breach legislation (HR 2221, HR 1319) and a bill intended to bolster federal cybersecurity research (HR 4061) as evidence of increased congressional attention.

But there is no bill comparable to the Rockefeller-Snowe legislation in the House, which has presented a series of measures targeting different aspects of cybersecurity instead.

Jurisdictional issues cloud Congress’ ability to move major cybersecurity legislation. Clinton’s group would like to see other incentives for the private sector in the Rockefeller-Snowe bill, like tax breaks or liability protections, but he acknowledged that would likely require involvement from the Finance and Judiciary committees.

Connecticut independent Joseph I. Lieberman, chairman of the Senate Homeland Security and Governmental Affairs Committee, plans to introduce his own cybersecurity bill in the next “several weeks,” a spokeswoman said, and many more cybersecurity proposals are percolating in that chamber.
Lewis noted that the tight legislative calendar and the political demands on lawmakers would likely prevent final action this year. But despite those complications, he said, he would like to see Congress act quickly.

“We’re going to have to do stuff like this sometime,” he said. “How much longer do we want to keep getting hit over the head by our foreign opponents?”

Clinton said the bill still needs significant work — arguing, for example, that its audit-based approach may force businesses to spend yet more money on audits rather than paying for additional security.

“Bottom of the first inning is the markup next week,” he said. “It’s an urgent issue, but it doesn’t mean you should pass legislation that isn’t going to work.”