In preparation for introducing comprehensive cyber security legislation early next year, the Senate is circulating draft bill language to stakeholders for their input, Sen. Joseph Lieberman (I/D-Conn.), a leading proponent of the legislation, said last Thursday night.
Last week the Senate began to share staff draft legislative language on improving critical infrastructure security and for reforming the Federal Information Security Management Act, Lieberman, who chairs the Senate Homeland Security and Governmental Affairs Committee, said at an event sponsored by the Homeland Security & Defense Business Council.
“More titles will be circulated in the weeks to come and we are looking forward to meeting with interested parties to discuss these proposals,” Lieberman said.
By allowing various stakeholders to review draft measures, backers of the comprehensive cyber security legislation hope to get buy in from these groups.
The draft legislation is being hashed out in working groups that consist of the chairmen and ranking members and the staffs of the relevant committees that oversee cyber security-related policy. Senate Majority Leader Harry Reid (D-Nev.) said last month that he plans to begin floor debate in early 2012 on comprehensive cyber security legislation (Defense Daily, Nov. 18).
Lieberman said that he hopes the legislation is approved and sent to the president before he retires from the Senate at the end of next year.
Lieberman said that key provisions he has proposed include directing the Department of Homeland Security to work with the private sector in identifying risks to critical cyber infrastructure to “develop risk-based performance standards that these crucial systems would have to meet.” Then industry would move forward with ways to protect their systems, he said.
“These plans would be reviewed by DHS cyber experts to ensure they improve security,” Lieberman said. “Our legislation would also provide liability protection for owners and operators who are in compliance with their approved security plans.”
Lieberman added that the private-public partnership around cyber security would enable DHS to develop best practices that could be used by industry on a voluntary basis. Still, utilizing these best practices would provide a marketing benefit to companies in maintaining and attracting customers.
“Imagine the bank that has to explain to its customers, or to a court of law, that customer account information was stolen because it did not implement readily available security measures,” Lieberman said.
Supply chain security is also a key feature of the forthcoming Senate legislation, Lieberman said.
“Our bill would encourage the federal government to do business with companies that bake in security from the outset and avoid those that try to bolt it on later,” Lieberman said.
DHS would also have the authority to share threat, vulnerability and mitigation information with the private sector, Lieberman said.
DHS currently shares threat information with the private sector but industry officials frequently say the threat information arrives too late or is too vague.
While the Senate is preparing a comprehensive cyber security bill, lawmakers in the House are expected to begin introducing a number of small bills to address cyber security issues. James Lewis, a an analyst with the Center for Strategic and International Studies who follows cyber security issues, told Defense Daily on Friday he expects one of the congressional chambers to possibly pass a cyber bill as early as January and then end up in a House and Senate conference with either small bills or a big bill for approval within six months.
Lewis said that the two “biggest sticking points” between the Senate and House in their respective approaches to cyber legislation are how much new authority, particularly regulatory authority, to give DHS, as well as its role vis-a-vis the Defense Department and others, regarding cyber security.
Second, there are privacy issues, Lewis said.
“You can’t really do information sharing unless you modernize existing legislation and the privacy types want to do that in a very slow deliberate fashion and that would probably take a couple of years,” Lewis said.
Lieberman also said that DHS needs to leverage cyber security expertise that already exists within the federal government. He noted that the FY ’12 National Defense Authorization Act approved by Congress last week includes a provision that codifies an existing agreement between DHS and the National Security Agency to share resources.