Republican committee leaders announced a competing cybersecurity bill on Thursday even as Senate Homeland Security Committee Chairman Joe Lieberman, ID-Conn., sought to consolidate support for his comprehensive proposals.
Lieberman is pushing his Cybersecurity Act of 2012, which would increase government oversight of some private networks like electric grids, water systems, or transportation, which could be at risk of cyberattacks. The Department of Homeland Security would be responsible for determining which businesses should be considered critical infrastructure.
Lieberman and other cosponsors chafed at suggestions that the bill is moving forward too quickly.
"To me it feels like it is Sept. 10, 2001," he said at a hearing of his committee. "The system is blinking red -- again. Yet, we are failing to connect the dots --again."
The bill, introduced on Tuesday, has been praised by the White House, as well as Senate leaders. At the hearing DHS Secretary Janet Napolitano said the bill would give her agency the authority it needs to combat cyberthreats.
“While the administration has taken significant steps to protect against evolving cyberthreats, we must acknowledge that the current threat outpaces our current authorities,” she told the panel. “Our cybersecurity efforts have made clear that our nation cannot improve its ability to defend against cyberthreats unless certain laws that govern cybersecurity activities are updated.”
Some top Republicans, however, including Sen. John McCain, R-Ariz., said that the bill would harm businesses and the economy.
“If the legislation before us today were enacted into law, unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses -- which own roughly 90 percent of critical cyber infrastructure,” McCain said.
At Thursday’s hearing, McCain announced that he and other GOP senators plan to introduce a competing cybersecurity bill after the Senate returns next week. Their bill, McCain said, will favor incentives and partnership over regulation.
Former DHS Secretary Tom Ridge, who testified on behalf of the U.S. Chamber of Commerce, echoed some of McCain’s concerns about the proposed updates.
“Given the discretion that government officials would have in designating “covered” critical infrastructure, the likelihood for DHS to regulate entities in many American communities is considerable,” Ridge said. “A regulatory program would likely become highly rigid in practice and thus counterproductive to effective cybersecurity -- due in large part to a shift in businesses’ focus from security to compliance.”
Napolitano, however, said incentives by themselves are not enough and the Cybersecurity Act strikes a balanced approach.
McCain also articulated GOP discontent with Senate Majority Leader Harry Reid’s plan to bring the bill to the Senate floor without a separate markup. McCain and six other ranking members of Senate committees say the inter-committee working groups that developed the Lieberman bill ignored alternative ideas.
Lieberman said he was disappointed by the opposition and the criticism of the process. “The point is, we have reached out,” he said. “We pleaded for involvement.” Still, Lieberman said, he will welcome consideration of the alternative legislation.
Senate Commerce Chairman Jay Rockefeller, D-W.Va., a cosponsor of the Cybersecurity Act, also pushed back at concerns about the process. “Any suggestion that this exhaustive process has been anything but open and transparent is patently false,” he told the committee. The bill is the result of a three-year effort and is based on several other pieces of legislation that were approved by different committees.
Cyberattacks represent too great a threat to drag out the legislative process any longer, Rockefeller said.
“The reason that this cybertheft is a life-or-death issue is the same as the reason that a burglar in your house is a life-or-death issue,” he said. “Cyberburglars have broken in, and they have destructive cyberweapons that could do us great harm.”
Under the bill, all of Homeland Security’s cybersecurity efforts would be consolidated in a new National Center for Cybersecurity and Communications. The legislation would also seek to increase information-sharing between the government and private businesses, provide a new program for research and development, and increase standards for federal networks.