A group of Republican senators who are upset with some of the provisions in a cyber security bill introduced this week and with how it was crafted and proceeding through the legislative process will introduce their own cyber legislation shortly, Sen. John McCain (R-Ariz.), a co-author of the forthcoming measure, said yesterday.
“The fundamental difference in our alternative approach is that we aim to enter into a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with prescriptive regulations,” McCain said during a hearing of the Senate Homeland Security and Governmental Affairs Committee to receive input from government and private sector officials regarding the Cyber Security Act of 2012 that was introduced on Tuesday.
McCain said the bill that he and six of his colleagues will introduce following next week’s President’s Day recess, will aim at “improving information sharing among the private sector and government, updating our criminal code to reflect the threat cyber criminals pose, reforming the Federal Information Security Management Act (FISMA), and focusing federal investments in cyber security.”
The Cyber Security Act of 2012 also would reform FISMA, authorize increased research and development spending on cyber security and provide a framework for improved information sharing and cooperation between the federal government and private sector as well as among private sector entities. The bill would also give the Department of Homeland Security clearer authority for working with the private sector.
Homeland Security Secretary Janet Napolitano testified at the hearing in support of the new bill, saying that it addresses to key needs. One is that it brings core critical infrastructure to a baseline level of security and “fostering information sharing.” She added that it gives DHS “clear statutory authority commensurate with our cyber security responsibilities and remove legal barriers to the sharing of information.”
There are concerns within industry that the comprehensive cyber security bill, which various government and industry officials agree takes a “light touch” toward regulation, may lead DHS down a path toward more regulation over time. There are also concerns that the new legislation hasn’t been properly vetted and could eventually lead to a strong backlash similar to the one from information technology companies and privacy advocates last month that stopped consideration of Internet piracy bills.
McCain criticized the process for the introduction of the Cyber Security Act of 2012, saying it bypassed committee mark-ups. Sen. Joseph Lieberman (I/D-Conn.), chairman of the Homeland Security and Governmental Affairs Committee and a co-sponsor of the bill, retorted that the bill is essentially the same as the one approved by the committee in 2010, the Protecting Cyberspace as a National Asset Act of 2010, which helped progress the comprehensive legislation through the lawmaking process (Defense Daily, June 25, 2010).
Lieberman said he was “disappointed” by McCain’s remarks and added that he and the other co-sponsors of the bill “pleaded” with anyone in the Senate to help craft the legislation “and a lot of people, including yourself, have not come to the table.”
Lieberman said that he welcomed McCain’s forthcoming legislation, which he said the Senate should consider. He added that Senate Majority Leader Harry Reid (D-Nev.) plans to hold an open amendment process on the bill.
Lieberman also mentioned that the bill has outside support from companies like Cisco [CSCO] and Oracle [ORCL], leadership at the Pentagon and even former DHS Secretary Michael Chertoff.
Tom Ridge, the nation’s first DHS Secretary, representing the United States Chamber of Commerce at the hearing, opposes certain measures in the Cyber Security Act. In his prepared remarks, Ridge said the bill gives too much discretion for regulating what would be “covered” as critical infrastructure and require better cyber defenses and instead should rely on existing risk assessments of critical infrastructure.
Ridge also said that the Chamber is concerned that the regulations would shift from being “standards and risk-based and flexible in concept to being overly prescriptive in practice.”
At least one industry group welcomed the pending Republican legislation.
“This will certainly raise the substantive discourse on cyber security and will help get us to an optimal solution,” Nilmini Rubin, director of Government Relations for the Information Technology Industry Council, told Defense Daily.
In addition to Lieberman, the Cyber Security Act was co-sponsored by Sens. Susan Collins (R-Maine), Jay Rockefeller (D-W. Va.) and Dianne Feinstein (D-Calif.).
McCain’s co-sponsors on their upcoming bill include Sens. Saxby Chambliss (Ga.), Kay Bailey Hutchison (Texas), Jeff Sessions (Ala.), Mike Enzi (Wyo.), Chuck Grassley (Iowa) and Lisa Murkowski (Alaska).