Senators put forward a bipartisan, business-backed measure Tuesday that aims to toughen the nation’s cybersecurity by relying on voluntary compliance by banks, utilities and other companies.
Observers said the bill — the Cybersecurity Act of 2013 — has a good chance of becoming law because it avoids the regulatory approach opposed by the business lobby.
“They have stayed away from the most controversial areas,” said David LeDuc, senior director for public policy at the Software and Information Industry Association.
The Senate Committee on Commerce, Science and Transportation approved the legislation Tuesday in a voice vote. Sens. John D. Rockefeller IV, West Virginia Democrat and committee chairman, and John Thune of South Dakota, the panel’s senior Republican, wrote the bill.
The legislation excludes provisions that would allow companies to share real-time cybersecurity information with the federal government, principally the National Security Agency. Such information-sharing provisions have drawn opposition from privacy and civil liberties advocates after leaks about the NSA’s data-gathering programs.
Former NSA chairman, retired Air Force Gen. Michael Hayden, said he doubts Congress will pass any information-sharing bill this year.
“Oh, that’s all frozen, that’s not going to happen,” he said. “We’ve lost [the chance to pass a bill for] another year.”
In April, the House passed an information-sharing measure — the Cyber Intelligence Sharing and Protection Act.
The bill was opposed by privacy advocates, who argued it would put the NSA, which operates under the Defense Department’s jurisdiction, in charge of protecting the nation’s civilian infrastructure and would facilitate broad Internet monitoring by the highly secretive agency.
The White House threatened a veto, citing privacy concerns.
Observers say the revelations by self-proclaimed NSA whistleblower Edward Snowden about the agency’s vast database of telephone records of calls made in America had made the bill a political nonstarter.
“We will in perpetuity have one of the least-well-defended networks on the face of the planet, because of our political culture,” said Gen. Hayden, referring to ever-increasing demands for openness and a distrust of secret government authorities.
“We haven’t yet as a nation decided what we want the government to do and what we’re going to let the government do on our own networks to defend us.”
“What congressman is going to get up and say, ‘What we really need here is to give the NSA some more running room’?” quipped Gen. Hayden, who also headed the CIA and was the second-in-command to John Negroponte, the first-ever director of national intelligence.
One of authors of the house bill, Rep. James R. Langevin, said he still believed there would be opportunities to move information-sharing legislation.
“We have to get there somehow,” the Rhode Island Democrat said, adding that the sponsors had “bent over backwards” to accommodate the concerns of privacy advocates.
Jessica Herrera-Flannigan, a lobbyist working on the issue, said timing is everything.
“With the recent revelations [about the NSA] the chances for information-sharing legislation are more dubious at this point, at least until the surveillance issues are dealt with,” she said.
Mr. LeDuc, from the software industry association, said the Commerce Committee bill builds on a cybersecurity executive order signed earlier this year by President Obama. The order put the National Institute for Standards and Technology, essentially the government’s top technical experts, at the center of efforts to help the private sector develop a voluntary framework for cybersecurity.
If signed into law, the new Senate bill would codify the place of NIST and the involvement of industry stakeholders, but it would not spell out what the cybersecurity framework should look like.
“Your bill is narrowly tailored and industry-focused,” wrote the U.S. Chamber of Commerce, which has strongly opposed a regulatory approach, in a letter to the bill’s authors Monday.
One source of opposition to both the regulatory and information-sharing provisions of previous bills was the role they envisaged for the Department of Homeland Security.
Critics pointed to the program DHS runs to ensure physical security at the nation’s chemical plants, which congressional testimony last year revealed had failed to hire staff or approve any security plans.
“DHS defending our networks? Uh-oh!” laughed Gary McGraw, a security engineer and chief technology officer for computer company Cigital, expressing widespread skepticism among industry executives about the capabilities of the troubled department.
“They are the ministry of silly walks,” he said of DHS.
He said the government might be better at dealing with the aftermath of an attack and finding out who was responsible. “I call that ‘Clean up on aisle four,’” he said. “But when it comes to building secure software and running secure systems,” the private sector very much has the edge.