Growing concerns about cybersecurity threats have prompted a bipartisan group of U.S. senators to introduce legislation aimed at securing the country’s vital infrastructure. Private-sector companies that operate critical infrastructure systems, however, say the bill goes too far.
The Cyber-Security Act of 2012 (S. 2105), introduced in mid-February, would require the Department of Homeland Security to combine its cybersecurity programs into a unified office called the National Center for Cyber-Security and Communications. The bill grants DHS authority to establish standardized cybersecurity protocols for private companies engaged in the operation of the nation’s critical infrastructure. The bill also calls for increased sharing of cyber-threat information between private companies and the federal government.
Jim Lakely, codirector of the Center on the Digital Economy at The Heartland Institute, which publishes InfoTech & Telecom News, said the bill grants too much government control over private firms.
“Private firms should be wary,” Lakely said. “Any private firms that allow government monitoring of their programs have a responsibility to inform their clients and affiliates of that status and allow escape from any contracts on that basis.”
Cybersecurity v. Freedom
“This bill would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation’s enemies, organized criminal gangs, and terrorists who would use the Internet against us,” said Sen. Joe Lieberman (I-CT), Homeland Security and Governmental Affairs Committee Chairman and sponsor of the bill, in a statement.
The legislation would impose a public-private cybersecurity partnership on critical infrastructures which, if destroyed by a cyberattack, “could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security,” according to the press release. The bill defines critical infrastructures as including power, water, and transportation.
‘Needlessly Redundant’ Requirements
OpenCongress, a nonprofit, nonpartisan public resource Web site, identified the following organizations as opposing the bill: U.S. Chamber of Commerce, Bank of America, JP Morgan Chase, National Association of Manufactures, and the Financial Services Roundtable.
Financial Service Roundtable spokesperson Elise Brooks told Infotech and Telecom News the organization supports the overall goals of SB 2105 and its “comprehensive approach to strengthening cybersecurity” but has serious reservations about provisions in the bill.
“The concern we have with S. 2105 is the two instances where it fails to take into account the existing regulatory structure over cybersecurity issues facing the financial services industry. First, the bill unnecessarily replaces the industry’s longstanding regulator on issues of cybersecurity—the Department of Treasury—with a new agency, the Department of Homeland Security. Treasury and the financial services industry have a longstanding relationship and worked together to create a robust system to guard against and respond to threats to cybersecurity,” Brooks said.
“Secondly, rather than utilizing existing channels of communication between the financial services industry and other sectors and the government, the bill adds needlessly redundant information-sharing requirements. We support utilizing existing frameworks to strengthen cybersecurity,” said Brooks.
Kill Switch Dumped
This new legislation follows attempts over the last year by the National Security Agency to expand its role in regulating privately owned companies dealing in vital infrastructure, which met resistance from the Obama administration due to privacy concerns.
The NSA’s proposal, called Tranche 2, would have required hundreds of companies with a role in critical infrastructure systems to allow their computer networks to be scanned for cybersecurity threats. DHS helped develop the plan. The proposal was killed in a White House meeting last August.
In an attempt to move the legislative process forward, SB 2105 does not include emergency authorities for the President—commonly referred to as the “kill switch”—as previous cybersecurity legislation did. The new legislation also would not create a special White House cybersecurity office.
Cybersecurity ‘Top Priority’
Debbee Keller, a spokesperson for the U.S. House Committee on Energy and Commerce, says the 112th Congress has made cybersecurity a top priority. The committee has jurisdiction over several of the networks and critical infrastructure the legislation addresses.
“Cybersecurity is essential to maintaining our nation’s security in the 21st century,” Keller said. “Several subcommittees have already held hearings, and a bipartisan Communications and Technology Working Group is currently working to examine the current landscape and lay the foundation to determine solutions when it comes to communications networks.”
Keller added, “The Communications and Technology Subcommittee has been discussing the important balance between private sector and government involvement—specifically examining a voluntary, incentives-based approach to promote best practices. The more information we gather, the more equipped we will be to combat this issue.”
Other requirements mandated by the legislation include information-sharing between and among the private sector and the federal government. Although the bill’s cosponsors claim sharing of information would be done while maintaining civil liberties and privacy, questions still remain about how freedom of the Internet will be balanced against cybersecurity.
“Freedom on the Internet must always prevail,” said Lakely. “The irony is that over the years, the private sector has proven much more effective and nimble in addressing security threats than has the federal government. Why? Because private firms promise security and have to deliver, so they are always on the cutting edge of technology.”
Lakely added, “If [private firms] don’t deliver what they promise, they lose customers. But if they establish a reputation for reliability, they gain customers. That incentive is much more powerful and real than any security plan devised by a federal bureaucrat.”
Alyssa Carducci ([email protected]) writes from Tampa, Florida.
“Senate Bill 2105: The Cyber-Security Act of 2012,” Senator Joe Lieberman, February 2012: http://news.heartland.org/sites/default/files/cyber_the_cybersecurity_act_of_2012_final.pdf