Several top US senators have unveiled a revised version of cyber-security legislation they have been trying to get passed for years. The updated Cybersecurity Act of 2012 takes a softer approach, relying on "incentives rather than mandatory regulations."
The bill - from Senators Joe Lieberman, Susan Collins, Jay Rockefeller, Dianne Feinstein, and Tom Carper - would create a voluntary system whereby private companies would adhere to best practices in exchange for incentives like federal assistance on cyber issues and immunity after an attack.
The effort would be led by a multi-agency National Cybersecurity Council, chaired by the secretary of Homeland Security. But bill sponsors insisted that the legislation does not create new regulators or give agencies any additional power.
Ideally, Lieberman and Collins - who have led the charge on cyber-security issues in the Senate in recent years - said they would have preferred a more comprehensive and mandatory approach to cyber-security legislation. But getting everyone in Congress to agree has proven to be a difficult task, prompting yesterday's more measured approach.
"We have already waited too long," the senators said in a joint statement. The new bill is a "good-faith effort" to get something done, they continued, but if it doesn't work, "a future Congress will undoubtedly come back and adopt a more coercive system."
The earlier version of the bill was introduced in February, but a month later, Senator John McCain unveiled the Secure IT Act. There was talk about combining the two bills, but neither side could reach a workable deal, according to reports.
"While the bill we introduced in February is stronger, this compromise will significantly strengthen the cybersecurity of the nation's most critical infrastructure and with it our national and economic security," the senators said yesterday.
The senators were quick to point out that their bill "does not affect copyrighted information" and, therefore, does not resemble the controversial Stop Online Piracy Act (SOPA) or PROTECT IP Act (PIPA). Those bills were tabled earlier this year following an uproar over how they might affect the operations of legitimate websites, and inspired the creation of the Internet Defense League, which launched yesterday.
The bill, does, however incorporate elements of another controversial online security bill, the Cyber Information Sharing & Protection Act (CISPA). That bill, which passed the House in April, allowed for information sharing between private companies and the government about cyber threats. It was intended to help prevent the spread of cyber attacks, but detractors worried that it would allow companies to hand over personal information about users to the feds without permission.
The updated Cybersecurity Act of 2012 would "permit information-sharing among the private sector and the federal government to share threats, incidents, best practices, and fixes, while preserving the civil liberties and privacy of users."
Other provisions of the bill include:
- Allow private industry groups to develop and recommend to the council voluntary cybersecurity practices to mitigate identified cyber risks.
- Allow owners of critical infrastructure to participate in a voluntary cybersecurity program.
- Require designated critical infrastructure -those systems which if attacked could cause catastrophic consequences - to report significant cyber incidents.
- Require the government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.
The rollout of the updated bill coincided with a Wall Street Journal op-ed from President Barack Obama, in which he backed the updated Lieberman-Collins bill and said that "foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day."
Obama, who pledged to make cyber-security a priority in 2009, said it was important to make it "easier for the government to share threat information so critical-infrastructure companies are better prepared."
"I urge the Senate to pass the Cybersecurity Act of 2012 and Congress to send me comprehensive legislation so I can sign it into law," he concluded.