By Emelie Rutherford
A Senate panel approved cybersecurity legislation yesterday that would give the Department of Homeland Security (DHS) responsibility for protecting federal civilian networks and tweak the president’s ability to shut down communications networks.
Perhaps the biggest question surrounding the Protecting Cyberspace as a National Asset Act of 2010 is whether the Senate actually will take it up during this election year. The chamber has other high-profile bills it must address in the limited legislative time that remains.
Still, Senate Majority Leader Harry Reid (D-Nev.) has said it is a priority to pass a cybersecurity bill, multiple versions of which have been filed in Congress. He met two weeks ago, and plans to meet again, with cybersecurity-minded lawmakers including Sens. Joseph Lieberman (I/D-Conn.), Carl Levin (D-Mich.), Dianne Feinstein (D-Calif.), Patrick Leahy (D-Vt.), and John Kerry (D-Mass.).
The Senate Homeland Security and Governmental Affairs Committee marked up the Protecting Cyberspace as a National Asset Act of 2010, which was introduced two weeks ago by Committee Chairman Joseph Lieberman, (I/D-Conn.), Ranking Member Susan Collins (R-Maine), and member Tom Carper (D-Del.).
Lieberman and Collins expressed frustration yesterday that people have misconstrued a provision related to the president’s emergency powers to take over communications networks. The president already has this authority, they said, and the bill would restrict when he can use it.
To address this concern, the Homeland Security panel approved an amendment within a manager’s package of bill changes. The now-amended bill says the president can only use such emergency powers–to shut down critical private-sector networks during attacks–for 30 days at a time, and cannot exceed a total of 120 days without congressional approval. Aides said the language regarding this 120-day period is one of the most significant changes made to the legislation via the manager’s package of amendments.
“I know there’s been some alarmist traffic in the blogosphere claiming that this legislation would give the president a so-called kill switch for the Internet; not true,” Lieberman said. “What these reports fail to recognize is that to the extent that such a kill switch is even technologically feasible, the president already has arguably such authority under Section 706 of the 1934 Communications Act.”
The bill, he said, would require the president use a “scalpel” to address severe threats only to critical infrastructure. Under the legislation, the White House would be required to use the least-disruptive means possible to respond to a threat.
Collins noted that to craft the bill the committee consulted with the executive branch and private-sector experts over the past year.
She emphasized that the bill would create a public-private partnership intended to improve cybersecurity that would work with a new National Center for Cybersecurity and Communication (NCCC) at DHS.
The partnership “would encourage the private sector to voluntarily provide information about threats and vulnerabilities to our nation’s information technology infrastructure,” a bill summary says.
“Although owners/operators of covered critical infrastructure would be required to report on cyber attacks on their networks, the National Center for Cybersecurity and Communications (NCCC) would not have the authority to compel this disclosure,” it adds. “Information provided to the NCCC by the private sector would be protected from unauthorized disclosure. This system would rely on voluntary sharing of threat and vulnerability data and would help create a collaborative environment between the NCCC and the private sector.”
The NCCC would take over federal efforts to protect critical public and private networks, including communications networks, from attacks.
The legislation would create two new Senate-confirmable positions, one to direct the new NCCC and one to lead a new Office of Cyberspace Policy in the Executive Office of the President.
The new White House official would not have operational duties and would be more of an adviser who would develop a national cyberspace strategy.
The bill also would update the law governing how federal agencies protect their internal networks and systems, and develop a supply-chain risk-management strategy to protect products and services the federal government needs.
The legislation would not address military networks.The Pentagon just stood up the U.S. Cyber Command, a new sub-unified military command, last month under the leadership of Army Gen. Keith Alexander, who also directs the National Security Agency.
Other cybersecurity bills filed this session include the Cybersecurity Act of 2010 from Sens. John Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), which the Senate Commerce Committee approved in March.