A U.S. Senate committee has dropped some of the most controversial pieces of a wide-ranging cybersecurity bill that had been stalled for nearly a year, but some tech industry groups still have concerns about new regulations that the legislation would create for some companies.
The U.S. Senate Commerce, Science and Transportation Committee, on March 24, approved the Cybersecurity Act by a voice vote, but representatives of trade groups the Business Software Alliance (BSA) and the Information Technology Industry Council (ITI) said they hope they will see changes to the bill before it moves forward.
Senators Jay Rockefeller, a West Virginia Democrat, and Olympia Snowe, a Maine Republican, introduced the bill in April 2009, and the original version of the legislation was controversial because it would have allowed the U.S. president to shut down portions of the Internet that were under attack.
The bill has been through several drafts, and the language allowing the president to shut down parts of the Internet is no longer in it. However, the new version of the bill would still create new regulations for some systems connected to the Internet designed as “critical infrastructure systems,” representatives of BSA and ITI said.
The companies operating those systems would have to use accreditation, training and certification programs approved by U.S. President Barack Obama, in consultation with a mix of public- and private-sector groups. Companies providing critical infrastructure systems would be subject to twice yearly audits, under the current language of the bill.
The bill “creates an environment that’s focused on compliance rather than innovation,” said Franck Journoud, BSA’s director of global cybersecurity policy. “It creates a one-size-fits-all approach to cybersecurity.”
Rockefeller and Snowe defended the legislation in an editorial published by the Wall Street Journal Friday. U.S. networks are under constant attack and the legislation is needed, the senators wrote.
“Our proposal does not take private management responsibility away from private networks,” they wrote. “To the contrary, it empowers the owners and operators of critical networks to meet cybersecurity challenges.”
But the compliance process set up in the bill could prevent companies from deploying “cutting-edge” cybersecurity defenses, Journoud said. The twice-yearly audits will be a “fairly onerous process of writing and gathering reports and showing evidence you’ve done X, Y and Z,” instead of focusing on improving cybersecurity, he said.
The bill’s focus on compliance will weaken efforts to prevent cyberattacks, added Dean Garfield, ITI’s president and CEO. “For more than a decade, the information and communications technology industry has helped set the standard for 21st century cybersecurity,” he said. “Instead of imposing new government standards, it is critical that policymakers utilize what’s already working in the private sector.”
Obama, consulting with private and public groups, would designate which companies run critical infrastructure systems. Critical infrastructure is any system that if infiltrated, incapacitated or disrupted, “would have a debilitating impact on national security, including national economic security and national public health or safety,” according to the bill.
That definition is too broad, and private industry doesn’t have enough input into who is designated as a provider of critical infrastructure, Journoud said. “The bill could catch potentially a lot of different companies,” he added.
Journoud also questioned the bill’s requirement that cybersecurity workers in critical infrastructure companies have certifications. Some of the “most brilliant people” working in cybersecurity don’t have traditional certifications, and the bill could prevent them and others from working on critical infrastructure systems, he said.
Still, Journoud, Garfield and Kevin Richards, federal government relations manager for Symantec, praised large parts of the bill.
The bill is a “major achievement” because it’s the first major cybersecurity bill to move through a committee in this session of Congress, Richards said. Committee staffers have given companies and trade groups assurances that they’re still open to changes in the bill, he said.
Large parts of the bill focus on funding for cybersecurity research and development, public education about cybersecurity problems and training for cybersecurity professionals, and both Richards and Journoud praised those parts of the bill.
For example, the bill would expand a scholarship-for-service cybersecurity program at the U.S. National Science Foundation, and it would authorize the U.S. National Institute of Standards and Technology to establish cybersecurity competitions to attract and recruit talented people into the field.
Rockefeller and Snowe also put a lot of emphasis on the public and private sectors working together on cybersecurity issues, Richards added. “I think it’s a very thoughtful piece of legislation, but I think there are still some details that need to be worked out in terms of … the latest and greatest innovation,” he said.
It’s unclear whether the bill will pass through Congress this year. Other committees may want to put their mark on the bill, Richards said.
Garfield was more optimistic that a comprehensive cybersecurity bill could be passed this year. “Never before in the history of the Internet has there been such an urgent need for policymakers and private sector leaders to work together and find a long-term solution,” he said. “While there’s still work to do, the high-tech industry supports many of the goals outlined in the Rockefeller-Snowe bill.”