After beginning to circulate draft legislation last week aimed at helping to achieve consensus on a comprehensive cyber security bill in the Senate, Senate staff this week began meeting with various stakeholders, including relevant Senate committees, to explore any changes to the planned legislation and gather support prior to introducing it on the floor as early as January, according to Senate staff.
These stakeholder meetings, that include government and industry, will continue into January, a Senate staffer told reporters during a background briefing earlier this week.
Senate Majority Leader Harry Reid (D-Nev.) last month said he plans to begin floor debate during the first work period of 2012, which ends on President’s Day in February, and his staff has been unwavering in saying that commitment stands, the staffer said.
The staffer said that the draft legislation that has been developed for Senators Joseph Lieberman (I/D-Conn.) and Susan Collins (R-Maine), the chairman and ranking members respectively of the Homeland Security and Governmental Affairs Committee, is expected to change and be improved upon as a result of the various stakeholder meetings. None of the draft legislation has gotten to the point where it has been signed off by key Senators so that it’s basically ready in final bill form, the staffer said.
That said, “I don’t know how many [Senate] members will be on board in the end,” the staffer said. The staffer doesn’t expect the chairman and ranking members of all the various Senate committees that have jurisdiction in the area of cyber security to agree with everything in the bill “but I think we’ll have a significant group supporting at a minimum the core principles.”
Those core principles revolve around the need to improve the security of the nation’s critical infrastructure and the forthcoming Senate bill, as well as different pieces of legislation that have been, and are planned to be, introduced in the House are trying to accomplish this. But of course the devil is in the details.
Some of the key differences that are expected to surface, at least between the House and Senate, in their respective cyber bills will be around how much regulatory authority to give the Department of Homeland Security, in particular over critical infrastructure, the vast majority of which is owned and operated by the private sector in the United States, and privacy issues.
Last month four Republican Senators, Kay Bailey Hutchison (Texas), Saxby Chambliss (Ga.), Lisa Murkowski (Alaska) and Charles Grassley (Iowa) wrote to Lieberman and Collins saying that the focus of forthcoming cyber security legislation should be more in line with the House’s efforts where there is already consensus on things such as information sharing between government and industry and improving law enforcement tools rather than crafting a more comprehensive bill in order to more quickly move forward.
In a Nov. 17 response to their colleagues, Lieberman and Collins wrote that the more limited efforts are “only part of the solution” and “will not ensure that the systems that control our nation’s most critical infrastructure—for instance, power, water, and transportation systems—are adequately secured.”
The Senate staffer said there is still plenty of time for the Senate to work out its differences over legislation and where differences remain will make for “good debate.”
The House plans for cyber legislation, which are being led by Republicans, are aimed at limiting regulation and creating incentives for companies to bolster their cyber security. The Senate, at least from the point of view of Lieberman and Collins, would like to see more enforcement of existing regulations, and possibly filling the gap in industry sectors where regulations are inadequate.
In their November letter, Lieberman and Collins said, “We can no longer simply wait and hope that significant vulnerabilities that have existed for years in the infrastructure that supports our national and economic security will be fixed. It is here, where the market has failed to provide adequate incentives to drive security, that Americans expect their government to play a role.”
The Senate staffer said that the approach being considered in draft language doesn’t meddle with existing regulations and is system or asset based, not company based. Moreover, the draft documents related to critical infrastructure are concerned where cyber attacks could lead to disruptions that cause regional and national disasters. For example, it is not concerned with human resource systems, the staffer said.
“What we envision happening is you go into a sector, you loot at what’s being done, you look at where you think the security level should be, and you write for that delta,” the staffer said. “So you’re filling the gap, you’re not moving into an area and sweeping everything that’s been done.”