Yesterday Senator John McCain (R-AZ) introduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT Act). The bill’s cosponsors include Senators Kay Bailey Hutchison (R-TX), Chuck Grassley (R-IA), Saxby Chambliss (R-GA), Lisa Murkowski (R-AK), Dan Coats (R-IN), Ron Johnson (R-WI), and Richard Burr (R-NC).
In a hearing in the Senate Committee on Homeland Security and Governmental Affairs last month, Senator McCain expressed procedural and substantive concerns about the “Cybersecurity Act of 2012,” S. 2105, which was sponsored by Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV), and he announced his intention to put forward a competing cybersecurity bill.
One of the main differences between the two bills is the amount of government regulation they envision. The Cybersecurity Act of 2012 proposes that the Department of Homeland Security (DHS) make risk-based designations of covered critical infrastructure (CCI) and establish cybersecurity performance requirements for CCI, in consultation with the CCI owners and operators. The SECURE IT Act, on the other hand, does not propose any government regulation of privately owned critical infrastructure, nor does it include identification or designation of such infrastructure. In a statement released yesterday by the co-sponsors of the SECURE IT Act, Senator Murkowski emphasized that the bill employs “a partnership approach between the government and private entities.”
The SECURE IT Act focuses on four main areas:
First, in lieu of regulation, the bill addresses the private sector by focusing on information sharing. It allows private entities to disclose cyber threat information to a cybersecurity center, which it defines to include existing cybersecurity entities within the Department of Defense, DHS, and the intelligence community. By contrast, the Cybersecurity Act of 2012 proposes the creation of new governmental and non-governmental “cybersecurity exchanges” to coordinate receipt and distribution of cyber threat information. Both bills permit disclosures between private entities and allow the government to share information with the private sectors as necessary. The SECURE IT Act goes further, however, by mandating that the Director of National Intelligence and the Secretary of Defense develop procedures to promote the “immediate sharing of classified cyber threat information” with “appropriately cleared representatives of any appropriate entity.” Both bills would provide liability protections for entities that disclose or use disclosed information for cybersecurity purposes.
Second, like the Cybersecurity Act of 2012, the SECURE IT Act would change the federal government’s information security practices by reforming the Federal Information Security Management Act (FISMA). While the Cybersecurity Act of 2012 would give the Secretary of Homeland Security authority to promulgate rules governing federal information security, the SECURE IT Act would rest that authority with the Secretary of Commerce, acting in consultation with the Secretary of Homeland Security and based on recommendations from the National Institute for Standards and Technology. The SECURE IT Act would, however, give DHS the lead role in coordinating actionable cyber threat information and conducting security analyses of federal systems. Both bills would require risk-based assessments of information security and continuous monitoring of the security of federal systems.
Third, the SECURE IT Act would strengthen the penalties for certain computer-related crimes, as well as create a new crime of “aggravated damage to a critical infrastructure computer.” The Cybersecurity Act of 2012 does not address criminal law, but the cybersecurity proposals issued last year by the White House and the House Republican Cybersecurity Task Force both advocated strengthening cyber-related criminal provisions.
Finally, the SECURE IT Act addresses cybersecurity research and development. The bill proposes mechanisms for ensuring coordination of government, private sector, and academic research and development efforts and requires creation of a federal cybersecurity research and development plan. It also provides for a federal cyber scholarship-for-service program.
Senators Lieberman, Collins, Rockefeller, and Feinstein issued a joint statement in reaction to the SECURE IT Act, stating that they are “encouraged by [their] colleagues’ recognition that [Congress] must act to address the increasingly sophisticated and dangerous attacks on our national infrastructure,” and that they are “eager” to work with the cosponsors of the SECURE IT Act to “bring comprehensive cyber security legislation to the Senate floor as soon as possible.”