Supporters of a contentious and high-profile cybersecurity bill garnered enough support in the Senate yesterday to compel the chamber to start debating it.
A full 84 senators voted for a so-called motion to proceed to the Cybersecurity Act of 2012, 24 more than the 60 minimum needed. The Democrat-led Senate acted just as the White House logged its official support of the bill and Cyber Command head Army Gen. Keith Alexander said Congress must act to encourage private entities to share information about cyber attacks with the government.
Bill author Sen. Joseph Lieberman (I/D-Conn.) hailed the 84-11 Senate vote, which allows a contentious debate on long-delayed cyber legislation to begin in the chamber next Monday.
“Not that the debate is over, but the debate is going to begin, and an overwhelming majority of members of the Senate want to adopt cybersecurity legislation,” Lieberman said, looking ahead to deliberations over amendments.
The Cybersecurity Act of 2012, which Sen. Susan Collins (R-Maine) also crafted, has stirred controversy in part because it attempts to motivate critical-infrastructure providers, such as electric utilities, to adopt cybersecurity standards.
Co-sponsors of the bill–including Sens. Jay Rockefeller (D-W.Va.), Dianne Feinstein (D-Calif.), and Tom Carper (D-Del.)–revised it last week to garner more support from Republicans and business interests concerned about critical-infrastructure mandates. The supporters dropped language authorizing the Department of Homeland Security to create mandatory standards for such providers. The current bill instead would offer incentives to them if they adopt voluntary security measures crafted by a public-private partnership.
Sen. John McCain (R-Ariz.) continued his criticism yesterday of the critical-infrastructure standards. He supports an alternate Republican bill, the Secure IT Act, which would create no new federal regulations and remove legal barriers to government and businesses sharing information about cyber attacks.
“I caution all of my…colleagues to tread very carefully here, because I’m deeply concerned that we’re on the cusp of granting the federal government broad authorities and influence over one of the most vibrant and innovative sectors of our economy,” McCain said. “The technology sector and the use of the Internet by American companies to innovate and improve the customer experience are deeply threatened by the heavy and too-often clumsy hand of government.”
Sen. Kay Bailey Hutchison (R-Texas) said she will offer the Secure IT Act as an amendment to replace the Lieberman-Collins bill now on the floor. That GOP bill, supported by Hutchison and McCain, is similar to the Cyber Intelligence Sharing and Protection Act (CISPA) the Republican-led House passed in April.
McCain said yesterday House members have told him the bill now on the Senate floor is “unacceptable.” Both chambers must agree on one bill to send to President Barack Obama.
Obama’s Office of Management and Budget (OMB) said yesterday it “strongly supports” Lieberman and Collins’ Cybersecurity Act of 2012. The office said back in April Obama could veto CISPA, charging it would violate citizens’ privacy and civil liberties.
Yet OMB said in a new Statement of Administration Policy it believes the Senate bill up for debate includes “strong protections for privacy and civil liberties.”
The office also said the revised Senate bill “contains critical-infrastructure protection measures that are less robust than in earlier drafts, but would still produce meaningful cybersecurity improvements.”
Meanwhile, Gen. Alexander said yesterday the government needs a cybersecurity law so that it can work more closely with private industry to monitor computer attacks.
“We need the ability to share information so we can see an attack and respond to it in real time,” he said during a talk at the Aspen Security Forum in Colorado.
Alexander, who also directs the National Security Agency, addressed the current debate in Congress over voluntary cybersecurity mandates for private entities.
“I think voluntary and incentivized can work,” he said. “Many companies don’t know what to do (regarding cybersecurity), so we’ve got to help set that standard….You’re not going to fix these networks this week, this is going to take time. And what we’ve got to do is to say, ‘So, if you’re going to fix your networks, here’s kind of how you need to implement the architecture to fix your network.’ Put that out. Get folks working towards that.”