“We have to get there somehow,” the Rhode Island Democrat said, adding that the sponsors had “bent over backwards” to accommodate the concerns of privacy advocates.
Jessica Herrera-Flannigan, a lobbyist working on the issue, said timing is everything.
“With the recent revelations [about the NSA] the chances for information-sharing legislation are more dubious at this point, at least until the surveillance issues are dealt with,” she said.
Mr. LeDuc, from the software industry association, said the Commerce Committee bill builds on a cybersecurity executive order signed earlier this year by President Obama. The order put the National Institute for Standards and Technology, essentially the government’s top technical experts, at the center of efforts to help the private sector develop a voluntary framework for cybersecurity.
If signed into law, the new Senate bill would codify the place of NIST and the involvement of industry stakeholders, but it would not spell out what the cybersecurity framework should look like.
“Your bill is narrowly tailored and industry-focused,” wrote the U.S. Chamber of Commerce, which has strongly opposed a regulatory approach, in a letter to the bill’s authors Monday.
One source of opposition to both the regulatory and information-sharing provisions of previous bills was the role they envisaged for the Department of Homeland Security.
Critics pointed to the program DHS runs to ensure physical security at the nation’s chemical plants, which congressional testimony last year revealed had failed to hire staff or approve any security plans.
“DHS defending our networks? Uh-oh!” laughed Gary McGraw, a security engineer and chief technology officer for computer company Cigital, expressing widespread skepticism among industry executives about the capabilities of the troubled department.
“They are the ministry of silly walks,” he said of DHS.
He said the government might be better at dealing with the aftermath of an attack and finding out who was responsible. “I call that ‘Clean up on aisle four,’” he said. “But when it comes to building secure software and running secure systems,” the private sector very much has the edge.