The war of words over the role of government in regulating the mostly private owners of the nation's critical IT infrastructure is getting hotter.
See Also: 2016 State of Threat Intelligence Study
On the day that two Republican congresswomen introduced the House version of Sen. John McCain's SECURE IT Act, the sponsor of a rival bill responded with what he sees as strong ammunition: a statement by the head of the National Security Agency and the military's Cyber Command calling for government-induced cybersecurity standards to secure the vital private networks.
Reps. Mary Bono Mack, R-Calif., and Marsha Blackburn, R-Tenn., introduced March 27 the SECURE IT Act, which like its Senate counterpart, does not provide for any government regulations over the infrastructure owner.
"The Bono Mack-Blackburn ... puts the private sector in the driver's seat, instead of relying on overly prescriptive government mandates that hamper growth and weaken response capabilities," Blackburn said in a statement introducing the legislation. "Incentive-based security works better than heavy-handed mandates."
But Rep. Jim Langevin, the Rhode Island Democrat who chairs the Congressional Cybersecurity Caucus, asks why should the nation not accept regulations when it comes to protecting the cyber infrastructure when it doesn't accept voluntary safety standards for its airlines or food systems?
"It's time to move beyond the fantasy that this problem will solve itself through good intentions," he said. "We need swift action to compel these companies to invest in our national security before it's too late. Cybersecurity legislation without critical infrastructure protection is dangerously inadequate."
The chief sponsor of the Cybersecurity Act of 2012, Sen. Joseph Lieberman, ID-Conn., pulled out what he sees as a big gun: Army Gen. Keith Alexander, director of the NSA and commander of the Cyber Commands, quoting testimony the four-star general gave to the Senate Armed Services Committee. Here's part of a press release Lieberman issued on Alexander's testimony:
"I do think we have to have some set of standards,'" Alexander said. When asked if information sharing was the 'crux' of securing critical infrastructure, Alexander responded, "'not actually ...'" adding that security standards for critical infrastructure and better information sharing were both necessary."
Lieberman's bill would give DHS the authority to collaborate with the private sector to establish security standards for the nation's most important cyber networks such as those that keep the electricity on, the water running, or our transportation systems functioning properly. The bill also calls on private companies to share threat information with DHS; information sharing under the SECURE IT Act would be voluntary.
Till recently, cybersecurity lawmaking had been touted as a bipartisan effort. But in recent months a partisan divide has surfaced over the role of government in regulating the private sector. The suspects are the usual ones: Democrats tend to favor some form of standards; Republicans, for the most part, oppose them.
The Cybersecurity Act of 2012 does have one Republican sponsor, Susan Collins of Maine, but most of the other backers of that bill are Democrats. That measure, in fact, provides for weaker government regulation than earlier versions of the legislation, in an attempt to get real bipartisan support. So far, weakening the provisions doesn't seem to be working. And, there are no signs that either side is giving in.
The political divide also can be seen in draft legislation forwarded by Rep. Darrell Issa, the California Republican who chairs the powerful House Oversight and Government Reform Committee. His Federal Information Security Amendments Act of 2012 narrowly focuses on updating the Federal Information Security Management Act, but doesn't address the IT security oversight of civilian agencies already given to the Department of Homeland Security by the Obama White House [see Would Issa Bill Usurp DHS Cyber Power?]. A number of, but not all, Republicans are distrustful of DHS as an IT security leader, so the failure to provide such oversight in his bill is further evidence of the vanishing bipartisanship on cybersecurity.