Skip to footer

Cybersecurity bill (CISPA): After House passage, what will Senate do?

Sen. John McCain is pushing a voluntary cybersecurity approach, while another CISPA-type bill would require companies like electric utilities to meet federal cybersecurity standards.

  • By Mark Clayton Staff writer

With Thursday’s passage of the Cyber Intelligence Sharing and Protection Act (CISPA) in the US House, the focus now turns to the Senate, where two starkly different visions of how to meet the cyberthreat are vying for support.

One is a voluntary cybersecurity approach put forward by Sen. John McCain (R) of Arizona and backed by seven Republican senators and several business groups. The other is a bill cosponsored by Sens. Joseph Lieberman (I) of Connecticut and Susan Collins (R) of Maine – and backed by the Obama administration. It would require "critical infrastructure" companies – like electric utilities – to meet federal cybersecurity standards.

Calling the cyberthreat today "a real and present danger to this country," Senator Lieberman warned in a February Senate hearing that the time has come to act, after three years of work on cybersecurity.

"We simply cannot allow this moment to slip away from us," he said. "We need to act now to defend America's cyberspace as a matter of national and economic security."

Cybersecurity experts are generally supportive of the Lieberman-Collins bill – except for the loopholes. Two dangerous loopholes in the proposed legislation, these experts say, are: (1) setting the threshold for federal oversight much too high and (2) leaving the information-technology industry and Internet service providers with no oversight at all.

The only companies that would have to meet federal standards under Lieberman-Collins are those whose operations, if disrupted, "would cause mass death" or "major damage to the economy, national security, or daily life."

That means many, if not most, crucial computer networks would not be covered – and that weakness would inevitably be targeted by cyberwarriors, says James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS) in Washington.

"No bill is better than a bad bill," Dr. Lewis says. "There's no question we're going to get a bill eventually. The only question is whether it will be before or after we're attacked."

Both the Lieberman-Collins bill and the McCain legislation have received poor reviews from privacy advocates. Lieberman-Collins has some privacy safeguards: It would require companies to anonymize the information they send to the government and use information received back from government only for cybersecurity. But that’s not enough to satisfy the Center for Democracy and Technology.

"Lieberman-Collins needs some substantial improvements, but overall is better for privacy than is CISPA," writes Gregory Nojeim, senior counsel at the Center for Democracy and Technology in an e-mail interview.

A CDT analysis found both bills have broadly written provisions that would:

• Share private communications with the National Security Agency and other federal entities, or with any other federal agency designated by the Department of Homeland Security.

• Monitor private communications passing over the networks of companies and Internet service providers.

• Employ countermeasures against Internet traffic.

In an effort to smooth passage, one provision has already been removed from the Lieberman-Collins bill that critics claimed would have given the president a “kill switch” to essentially turn off the Internet.

Meanwhile, Senator McCain’s competing bill would not offer new regulations, but instead promote information sharing with the government by providing immunity protection from lawsuits, among other things.

“The only government actions allowed by our bill are to get information voluntarily from the private sector and to share information back,” McCain said at a press conference unveiling the bill last month. “We have no government monitoring, no government takeover of the Internet, and no government intrusions.”

The political dynamic now is such that Congress will be doing well if it can pass any cybersecurity legislation at all – even a watered-down bill that offers only incentives to private industry to adhere to higher cybersecurity, says Stewart Baker, a lawyer and former senior official at the National Security Agency and the Department of Homeland Security.

Senators are receiving a lot of pushback from companies saying they don't want the government setting up cybersecurity standards, Mr. Baker notes.

In one scenario, elements of the McCain bill will be folded into Lieberman-Collins, diluting it. If that bill then passes the Senate, it would go to a conference committee, where it could be further diluted.

But some say the McCain bill is already quickly losing support from its original backers – which could mean the Lieberman-Collins bill, undiluted, heads to a floor vote in May. That's a big “if” since lobbying groups for business interests are trying to derail Lieberman-Collins, several observers say.

The House bill passed by a vote of 248 to 168. It has provisions for sharing information but doesn't contain any federal cybersecurity standards.

All in all, the likelihood of strong federal requirements for cybersecurity at America's critical infrastructure companies – including the power grid – are very low, Baker says.

"Getting anything on this topic through Congress is going to be a very heavy lift," he says. "The House has made it clear they're not interested in federal standards. Senator McCain's bill does very little. I know there are negotiations. But all the political forces are conspiring to further water down the regulatory requirements."

In hopes of convincing lawmakers that cybersecurity legislation should be passed, the Obama administration last month staged a behind-closed-doors mock cyberattack for a group of 50 senators.

What would happen to New York City if the power grid succumbed to a cyberattack on a hot July day and was out for a long time? The senators found out, in a scenario not unlike the massive East Coast blackout in 2003.

Imagine apartment dwellers with no water. No lights. No working ATMs. No air conditioning. No elevators. In other words, none of the key features of modern civilization.

Cyber legislation would help avert such attacks, the senators were told by top administration officials including John Brennan, assistant to the president for homeland security; Gen. Keith Alexander, director of the National Security Agency; and Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff.

It was "very compelling," Senator Collins said as she left the demonstration, according to Bloomberg News. “It illustrated the problem and why legislation is desperately needed.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.
editor@csmonitor.com
Subscribe
Mark Sappenfield
Editor

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

Subscribe to insightful journalism

QR Code to Cybersecurity bill (CISPA): After House passage, what will Senate do?
Read this article in
https://www.csmonitor.com/USA/Politics/2012/0427/Cybersecurity-bill-CISPA-After-House-passage-what-will-Senate-do
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe