Lieberman, Collins, Rockefeller, Feinstein, Carper Offer Revised Legislation to Improve Security of our Most Critical Private-Sector Cyber Systems
National Security, Economy, Essential Life Services At Stake
Jul 19 2012
WASHINGTON – The five co-sponsors of bipartisan cybersecurity legislation introduced new, revised legislation Thursday to protect our national security, economic security, and life-sustaining services from increasingly commonplace cyber attacks.
The Co-sponsors - Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., Ranking Member Susan Collins, R-Maine, Commerce Committee Chairman Jay Rockefeller, D-W.Va., Select Intelligence Committee Chairman Dianne Feinstein, D-Ca., and Federal Financial Management Subcommittee Chairman Tom Carper, D-Del. – offered the revised Cybersecurity Act of 2012 in a good faith effort to secure enough votes to address the immediate threat of attack from foreign nations, hacktivists, criminals, and terrorists against the nation's most critical cyber systems.
Lieberman said: "This legislation is urgently needed to address the clear, present, and growing danger of cyber attacks against our most critical systems. In an era when anyone can buy the technological capability to cripple the electric grid, steal proprietary information from seemingly secure websites, and digitally drain bank accounts of money, our most important networks are alarmingly vulnerable. We must respond with speed and resolve to a threat that will only increase.
"This compromise bill creates a public-private partnership to set cybersecurity standards for critical American infrastructure, and offers the reward of some immunity from liability to those who meet those standards. In other words, we are going to try carrots instead of sticks as we begin to improve our cyber defenses. This compromise bill will depend on incentives rather than mandatory regulations to strengthen America's cybersecurity. If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system.
"While the bill we introduced in February is stronger, this compromise will significantly strengthen the cybersecurity of the nation's most critical infrastructure and with it our national and economic security.
"We responded after the 9/11 attacks to improve our security. Now we must respond to this latest challenge before a cyber 9/11 occurs."
Collins said: "Experts have repeatedly warned that the computer systems that run our critical infrastructure – our electric grid, water systems, financial networks, and transportation systems – are vulnerable to a major cyber attack. A cyber attack is a threat not just to our national security, but also to our economic edge and way of life.
"The owners and operators of critical infrastructure reported nearly 200 cyber intrusions in 2011, a 400 percent increase from the previous year. And these are only the intrusions that have been reported to DHS. Many go unreported, and even worse, many owners are not even aware that their systems have been compromised. Moreover, U.S. companies lose about $250 billion a year through intellectual property theft, $114 billion to theft through cyber crime and another $224 billion in down time the thefts caused.
"The data and the headlines make it clear that we have already waited too long to address this escalating threat. In an effort to move this overdue legislation forward, the measure released today represents the Senate's best chance to pass cyber legislation this year. Our bill is a good-faith effort to address the concerns of members of both sides of the aisle by establishing a framework that relies upon the expertise of government and the innovation of the private sector. It would set voluntary, outcome-based cybersecurity best practices and encourage adoption by companies through various incentives. It also promotes the sharing of cyber threat information within the private sector and with government in real-time, while safeguarding privacy and civil liberties. I look forward to working with my colleagues on this bill through an open amendment process during its consideration on the Senate floor."
Rockefeller said: "Our country, from the government to utility companies to Fortune 500 Companies – we all are unprepared when it comes to cybersecurity," Rockefeller said. "This legislation is a critical first step in our country's response to this problem. I had previously sponsored a bill with a stronger regulatory approach to resolve this problem, but it's become clear that some members of the Senate would not support that approach. While I still prefer the regulatory approach, and believe that it would better protect our country, we are moving forward in the spirit of compromise with an incentives-based voluntary approach because it is a crucial matter of public safety and national security that we do something now to ensure our most critical infrastructure is protected from cyber-attacks."
Feinstein said: "We have worked very closely with Senate colleagues, privacy groups and industry to strengthen the bill's privacy protections without undermining the fundamental goal of improving information cybersecurity sharing. I believe the bill is stronger as a result of these changes."
Carper said: "The Internet touches the lives of everyone in American society on a daily basis. It's where we communicate, work, shop, and bank. It also forms the backbone of key critical infrastructure, such as the electric grid and our transportation network. Given all that relies on a safe and secure internet, it's critical that we do what's necessary to protect us from hackers, thieves, and cyber terrorists. For far too long we have lacked a modern approach to ensuring the security of cyber space. This legislation addresses that need and puts in place a new frame work that should better balance the needs and concerns of both government and the private sector. I am hopeful the Senate will pass this legislation as soon as possible."
The revised Cybersecurity Act of 2012 is the product of a decade of hearings and studies, three years of legislative drafting, and months of consultations and negotiations among Senators of both parties, and companies and trade associations representing the information technology, financial services, telecommunications, chemical, and energy sectors, among others. National security, and privacy and civil liberties experts also provided essential counsel.
The measure envisions a public-private partnership to secure the most critical cyber systems.
The revised Cybersecurity Act of 2012 would:
- Establish a multi-agency council National Cybersecurity Council - chaired by the Secretary of Homeland Security - to lead cybersecurity efforts, including assessing the risks and vulnerabilities of critical infrastructure systems.
- Allow private industry groups to develop and recommend to the council voluntary cybersecurity practices to mitigate identified cyber risks. The standards would be reviewed and approved, modified or supplemented as necessary by the council to address the risks.
- Allow owners of critical infrastructure to participate in a voluntary cybersecurity program. Owners could join the program by showing either through self-certification or a third-party assessment that they are meeting the voluntary cybersecurity practices. Owners who join the program would be eligible for benefits including liability protections, expedited security clearances, and priority assistance on cyber issues.
- Creates no new regulators and provides no new authority for an agency to adopt standards that are not otherwise authorized by law. Current industry regulators would continue to oversee their industry sectors.
- Permit information-sharing among the private sector and the federal government to share threats, incidents, best practices, and fixes, while preserving the civil liberties and privacy of users.
- Require designated critical infrastructure -those systems which if attacked could cause catastrophic consequences - to report significant cyber incidents.
- Require the government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.
The Senators stressed that the revised Cybersecurity Act of 2012 does not affect copyrighted information on the internet and thus in no way resembles the Stop Online Piracy Act or the Protect Intellectual Property Act. The focus of the revised Cybersecurity Act is to improve the security of systems that control the essential services that keep our nation running – for instance, power, water, and transportation networks.