Senate Republicans' cybersecurity bill puts the onus on industry, diverges from earlier bipartisan bill.
Senate Republicans, led by Sen. John McCain (R-Ariz.), on March 1 unveiled a new cybersecurity bill that puts the onus on industry to protect networks and offers no new mandates or funding.
The Republicans’ bill is an answer to another, bipartisan bill offered up on Feb. 14 that they believe to be overreaching in authority. That bill, the Cybersecurity Act of 2012, would expand the authority of the Homeland Security Department, implement new regulations to protect critical infrastructure and create a new National Center for Cybersecurity and Communications.
“The only government actions allowed by our bill are to get information voluntarily from the private sector and to share information back,” McCain said of his bill, dubbed the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology (SECURE IT) Act. “We have no government monitoring, no government takeover of the Internet and no government intrusions.”
The SECURE IT Act instead focuses on voluntary sharing of cyber-threat information between industries and government, including by easing anti-trust laws that restrict information-sharing between private companies and offering legal protection to companies that take proactive measures to protect their networks. It also aims to reform federal cybersecurity standards.
The new bill, which relies on existing federal cybersecurity organizations to coordinate cybersecurity action rather than establishing new centers, additionally toughens punishment for cyber criminals, whereas the Feb. 14 bill does not.
“Rather than arming Homeland Security with expansive new regulatory authority over every sector of our economy, the SECURE IT cyber bill we’ve introduced today emphasizes a partnership approach between the government and private entities,” Sen. Lisa Murkowski (R-Alaska) said in a press briefing during which the Republican bill was introduced.
The older, bipartisan-backed bill included measures that would require upgrades to critical infrastructure; in some cases it would designate certain private networks as critical infrastructure and compel them to be secured according to federal standards.
A handful of industry groups have already issued statements in support of the SECURE IT Act.
“We were pleased to see the inclusion of enhanced penalties for cyber criminals. As much as we strive to prevent attacks, there must also be consequences for those that are behind them,” TechAmerica’s acting president & CEO Dan Varroney said in a released statement, which also lauded Congress’ efforts in boosting national cybersecurity. “It is very encouraging to see a focus on cybersecurity by so many members of the Senate, and we urge the authors of both bills to work together to create the best possible, bipartisan framework to enhance our nation’s cybersecurity.”
However, some industry experts had already expressed concerns that the earlier Cybersecurity Act didn’t go far enough – and the new bill stops far short of the measures included in the earlier legislation, a fact the Republicans highlighted in introducing SECURE IT.
“As currently drafted [the Cybersecurity Act of 2012] includes significant loopholes that would keep our nation at risk,” Jim Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, said at a Feb. 16 Senate hearing. “Some of these loopholes are intended to accommodate industry concerns. These industry concerns are understandable and the bill makes reasonable efforts to accommodate them. However, in a few instances, the language to assuage industry concerns goes too far and ends up putting national security at risk.”