In a move to get cybersecurity legislation approved before the Senate recess, Sen. Joseph Lieberman (I-Conn.) and four colleagues introduced a modified version of their proposed cybersecurity legislation that adds privacy protections for consumers and removes government mandated security standards.
Republicans had opposed the initial version of the Democrat-backed bill, introduced in February, because it called for the Department of Homeland Security (DHS) to assess power companies, utilities, and other firms that operate critical infrastructure for security problems and create performance standards -- provisions that were considered too regulatory and restrictive on businesses by Republicans in the Senate.
The new version also allows information sharing among private firms and the federal government on threats, incidents, and best practices, while preserving the civil liberties and privacy of users. That change came at the behest of civil libertarians who complained that the measure was too broad and could authorize wiretapping.
A compromise was needed in order for the measure to get at least 60 votes in the Senate. Lieberman acknowledged that the amended measure was watered down some, but suggested that even weakened legislation if it gets passed is better than none. "While the bill we introduced in February is stronger, this compromise will significantly strengthen the cybersecurity of the nation's most critical infrastructure and with it our national and economic security," wrote in a statement published on his Web site.
"This compromise bill creates a public-private partnership to set cybersecurity standards for critical American infrastructure, and offers the reward of some immunity from liability to those who meet those standards," Lieberman wrote. "In other words, we are going to try carrots instead of sticks as we begin to improve our cyberdefenses. This compromise bill will depend on incentives rather than mandatory regulations to strengthen America's cybersecurity. If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system."
Specifically, the revised Cybersecurity Act of 2012 would:
- Establish a multi-agency National Cybersecurity Council -- chaired by the Secretary of Homeland Security -- to lead cybersecurity efforts, including assessing the risks and vulnerabilities of critical infrastructure systems.
- Allow private industry groups to develop and recommend to the council voluntary cybersecurity practices to mitigate identified cyberrisks. The standards would be reviewed and approved, modified or supplemented as necessary by the council to address the risks.
- Allow owners of critical infrastructure to participate in a voluntary cybersecurity program. Owners could join the program by showing either thorough self-certification or a third-party assessment that they are meeting the voluntary cybersecurity practices. Owners who join the program would be eligible for benefits including liability protections, expedited security clearances, and priority assistance on cyberissues.
- Create no new regulators and provide no new authority for an agency to adopt standards that are not otherwise authorized by law. Current industry regulators would continue to oversee their industry sectors.
- Permit information-sharing among the private sector and the federal government to share threats, incidents, best practices, and fixes, while preserving the civil liberties and privacy of users.
- Require designated critical infrastructure -- those systems that, if attacked, could cause catastrophic consequences -- to report significant cyberincidents.
- Require the government to improve the security of federal civilian cybernetworks through reform of the Federal Information Security Management Act.
The American Civil Liberties Union said it was pleased with the changes related to privacy. "What's clear is that the cyber train is leaving the station and we are happy to help break the news that it looks like the Senate is moving to pass something much better than CISPA from a privacy standpoint," Michelle Richardson, legislative counsel for the ACLU Washington office, wrote in a blog post. "Not all of the problems with the Cybersecurity Act are solved yet, and you better believe that amendments to strip the privacy protections are in the mix."
Specifically, the revisions ensure that shared information goes directly to civilian agencies and not the military; the information is used strictly for prosecuting cyber crimes and protecting people from imminent threat of death or harm; agencies must submit annual reports on what information is shared and what is done with it; and people are allowed to sue the government if it intentionally violates the law, according to the ACLU.
The measure will be debated in the Senate next week as lawmakers try to get a cybersecurity bill passed before the August recess. Lawmakers are hoping new legislation will improve the ability of the government and power companies, utilities and other firms running critical infrastructure in the country to keep hackers and cyber threats out of their networks. The emergence of malware like Stuxnet and Flame; reports of holes in SCADA software; and data theft and attacks targeted at gas pipelines and other companies have spooked Congress.
Dissatisfied with the original Lieberman measure, GOP lawmakers had proposed their own, called CISPA (the Cyber Intelligence Sharing and Protection Act), that opponents said would usher in a new era of information sharing between companies and government agencies with limited oversight and privacy safeguards. Sens. Jon Kyl (R-Ariz.) and Sheldon Whitehouse (D-R.I.), also had proposed an alternative bill. Other co-sponsors of the Lieberman bill are: Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.), Dianne Feinstein (D-Calif.), and Tom Carper (D-Del.).
(CNET's Declan McCullagh contributed to this report.)
Updated at 4:20 p.m. PT with more details and ACLU comment and July 20 at 1:04 p.m. to correct spelling of Kyl's name.