By David Fagan and Kristen Eichensehr
Yesterday, the Senate Committee on Homeland Security and Governmental Affairs held a hearing on the “Cybersecurity Act of 2012.” Senator Joseph Lieberman (I-CT) introduced the bill, S. 2105, on Tuesday with co-sponsors Senators Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV). S. 2105 builds on prior cybersecurity bills introduced in this and prior Congresses and resulted from a lengthy consultation process — shepherded by Senate Majority Leader Reid and Minority Leader McConnell — with private sector stakeholders, the Executive Branch, and other interested parties. Upon introducing the bill earlier this week, Majority Leader Reid and Committee Chairman Lieberman said that they intended not to hold any committee mark-up and instead would bring the bill directly to the floor for a full vote in March.
As currently drafted, S. 2105 would centralize responsibility for cybersecurity of civilian infrastructure in the Department of Homeland Security (DHS) and require the Secretary of Homeland Security, in consultation with owners and operators of covered critical infrastructure, to conduct risk-based assessments of cybersecurity threats to covered critical infrastructure. The Secretary would have the authority to designate “systems or assets” as covered critical infrastructure if a cyber attack on the system or asset could “reasonably result” in “the interruption of life-sustaining services . . . sufficient to cause” a “mass casualty event” or mass evacuations, or “catastrophic economic damage to the United States.” The bill also would require the Secretary, based on the risk assessments and working with owners and operators of covered critical infrastructure, to establish cybersecurity performance requirements. Owners and operators would have flexibility to determine how best to meet the performance requirements.
The bill also addresses information sharing between the government and the private sector and among private sector entities with respect to cybersecurity threats. The bill instructs the Secretary of Homeland Security to establish a process to designate “cybersecurity exchanges,” both governmental and non-governmental, to serve as clearing houses for receiving and distributing cybersecurity threat information. Shared information could only be used to protect information systems from cyber threats. The bill would provide liability protections for those who share information consistent with its provisions.
Other provisions of the bill address government cybersecurity, future needs, and the international dimensions of cybersecurity:
- The bill would consolidate existing DHS cyber offices into a new National Center for Cybersecurity and Communications (“NCCC”), to be headed by a Senate-confirmed presidential appointee. The NCCC would have responsibility for, among other things, coordinating federal cybersecurity efforts, conducting risk assessments of covered critical infrastructure, and developing national incident response plans.
- With respect to the government’s own security posture and preparedness, the bill would substantially revise the Federal Information Security Management Act of 2002 (FISMA) and move toward continuous monitoring and risk assessment of federal systems.
- To ensure future cybersecurity needs can be met, the bill mandates education and awareness campaigns, establishes a federal Cyber Scholarship-for-Service program, amends hiring authority for federal cybersecurity employees, and requires development of a national cybersecurity research and development plan.
- The bill focuses on the international dimensions of cybersecurity, directing the Secretary of State to designate a senior level State Department official to coordinate U.S. diplomatic engagement on international cyber issues, provide strategic direction and coordination for U.S. policy on international cyber issues, and coordinate with relevant Federal agencies to develop interagency plans regarding international cybersecurity.
Witnesses at yesterday’s hearing included co-sponsor Senator Rockefeller, who pledged to introduce an amendment to the bill on the floor to require businesses to disclose material information relating to information security risks and events in filings with the Securities and Exchange Commission (a proposal that had been kept out of the bill in the face of opposition from industry); and co-sponsor Senator Feinstein, who pressed for the inclusion of federal data breach notification requirements in the bill.
In time allotted for questioning, Senator John McCain (R-AZ) expressed concerns over the bill, echoing a letter that he and six other Republican Ranking Members of Committees sent earlier this week to Majority Leader Harry Reid (D-NV) and Minority Leader Mitch McConnell (R-KY). Senator McCain criticized the bill’s co-sponsors and Senate leadership for a lack of consultation with the other ranking members and committees — a criticism that Senator Lieberman refuted. Senator McCain announced that after the Presidents’ Day holiday he and the letters’ other signatories intend to introduce their own cybersecurity bill focusing on a cooperative approach to information sharing with the private sector.
The second panel of the hearing featured Secretary of Homeland Security Janet Napolitano, who was the only witness from the executive branch. The third panel included testimony from former Secretary of Homeland Security Thomas Ridge (now the Chairman of the National Security Task Force for the U.S. Chamber of Commerce); Stewart A. Baker, former Assistant Secretary of Homeland Security; Dr. James A. Lewis of the Center for Strategic and International Studies; and Scott Charney, the Corporate Vice President for Trustworthy Computing at Microsoft.