Cybersecurity Bill Would Create Costly Regulations, Say Critics
Leaders in the U.S. Senate are trying to fast-track new cybersecurity legislation that will create costly new regulations for some businesses, some critics said Thursday.
A plan by Senate Democrats to move the Cybersecurity Act, introduced this week, directly to the Senate floor for a vote raises serious questions about the process and will lead to bureaucrats at the U.S. Department of Homeland Security writing regulations for businesses that control critical infrastructure, said Senator John McCain, an Arizona Republican, during a hearing on the bill.
The Cybersecurity Act, introduced Tuesday by four senators, would allow DHS to "promulgate prescriptive regulations on American businesses," McCain said. "The regulations that would be created under this bill authority would stymie job creation, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates."
The wide-ranging bill would require operators of so-called critical infrastructure networks to adopt cybersecurity practices if evaluations by DHS find their security lacking. The legislation would cover operators of systems that, if compromised, would cause mass death, evacuation or major damage to the U.S. economy.
The bill would allow owners of critical infrastructure systems to decide how best to meet the performance standards developed in cooperation with DHS.
McCain was among seven Republican senators who, in a Tuesday letter to Senate leadership, called for multiple hearings on the legislation. The Senate needs to have a serious discussion about whether DHS is the best agency to protect the U.S. against cyberattacks or whether the Department of Defense or National Security Agency might be better suited, McCain said.
Thomas Ridge, chairman of the National Security Task Force at the U.S. Chamber of Commerce and a former U.S. secretary of homeland security, also voiced opposition to the bill during the hearing, before the Senate Homeland Security and Governmental Affairs Committee. The bill doesn't appear to have a limit on what businesses DHS can designate as critical infrastructure, he said.
Cybersecurity mandates may not be effective, Ridge added. "Frankly, the attackers and the technology move a lot faster than any regulatory body or political body will ever be able to move," he said.
But supporters of the bill argued that new cybersecurity measures are needed. Lawmakers have been working on a comprehensive cybersecurity bill for years, and this legislation is a product of dozens of past hearings and meetings between lawmakers and business leaders, said Senator Joe Lieberman, a Connecticut independent and sponsor of the bill.
While critics call for delays, cyberthieves are looting U.S. businesses and government agencies, added Senator Susan Collins, a Maine Republican and co-sponsor. Sponsors made several changes to the bill in response to concerns from the Chamber of Commerce, she said.
"This bill is urgent," Collins said. "We can't wait to act. We cannot wait until our country has a catastrophic cyberattack."
Janet Napolitano, current secretary at DHS, and Stewart Baker, a former official at DHS and the NSA, both voiced support for the bill.
Although some critics have called for a stripped-down bill that deals mainly with security efforts at government agencies, "now is not the time for half-measures," Napolitano said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is firstname.lastname@example.org.