Partisan differences also surfaced Feb.16 at the Senate hearing as Homeland Security Secretary Janet Napolitano, a Democrat, disagreed with one of her predecessors, Republican Tom Ridge, over provisions that would require private businesses operating the nation's critical information infrastructure to meet certain IT security standards.
See Also: Don't Be The Next OPM: Recognizing Risk
Cybersecurity, for the most part, has been a bipartisan issue in Congress over the past decade, and even with divisions surfacing at the Senate Homeland Security and Governmental Affairs Committee hearing, the legislation under consideration bill - the Cybersecurity Act of 2012 - is a bipartisan bill; one of its chief sponsors and biggest defenders is Susan Collins, the Maine Republican who serves as the panel's ranking member [see Senators Unveil Major Cybersecurity Bill].
McCain, an Arizona Republican, voiced annoyance with the move by Democratic Leader Harry Reid to bring the bill to the Senate floor without the normal committee markup session, when members can offer amendments to alter the bill before the full chamber considers it.
"My friends, that's wrong," McCain said. "To suggest that this bill should move directly to the Senate because, quote. it's been around since 2009 is outrageous. First, the bill was introduced two days ago. And, where in the Senate rules does it state that a bill introduced in a previous Congress could supplant the necessary work on that bill in the present one? To treat the last Congress as a legislative mulligan by bypassing the committee process and bringing the legislation directly to the floor is not an appropriate way to begin consideration of an issue that's complicated as cybersecurity."
But at the heart of McCain's objections to the bill were provisions that would have the Department of Homeland Security enforce standards the owners of the critical infrastructure determined should be applied to safeguard their network vital to the nation's security. McCain also said the bill's sponsors failed to adequately consider having the National Security Agency, part of the Defense Department, take the lead to ensure the security of the nation's critical infrastructure, rather than DHS, which he contends has less expertise.
He also questioned why the bill would exempt computer hardware and software makers from some of the standards other industries would need to comply with. "What specific factors went into providing regulatory carve-outs for hardware and software manufacturers?" he asked. "My suspicion is this has more to do with garnering political support and legislative bullying and not sound policy considerations."
McCain said he and six other ranking Republican members of Senate committees with IT security oversight would introduce after Presidents' Day a version of the cybersecurity bill that the GOP lawmakers contend would be less intrusive on business.
Lieberman, the 2000 Democratic vice presidential nominee who bucked his party by endorsing McCain for president in 2008, expressed regret over his colleague comments. "I cannot conceal the fact that I'm disappointed by your statement," said the Independent Democrat from Connecticut, who caucuses with the Democratic majority. Lieberman said the bill reflects an earlier version the committee had marked up. Plus, he said, the bill's sponsors reached out to all senators for their ideas on how the legislation should be shaped. "We pleaded for involvement and a lot of people, including yourself, have not come to the table," Lieberman said to McCain. He said Reid indicated senators could offer amendments to the Cybersecurity Act when it comes up for consideration on the Senate floor.
Agreeing to Disagree
The disagreement between Napolitano and Ridge over how much regulation the bill would impose on business was not contentious, and not just because they testified at different times. The discourse between these witnesses and committee members was congenial.
Napolitano pointed out that the bill, which has the backing of the Obama administration, allows businesses that operate critical infrastructure to establish their own security standards, with DHS providing the role to assure companies do what they said they would. "It is a security bill, not a regulatory bill," she said. In the case of an already regulated industry, such as the Federal Communications Commission over communications networks, government regulators would maintain their oversight, and not DHS.
The bill, Napolitano said, "really is designed to making sure that we really have a basic level of security in the cyberstructures of our nation's core critical infrastructure and that we have a way to exchange information. That allows us to do that without private-sector parties being afraid to violate other laws. This is not what one would consider a regulatory bill at all. And, as Sen. Collins said, it really is designed to protect the American economy, not to burden the American economy."
Ridge, the nation's first Homeland Security secretary who testified on behalf of the United States Chamber of Commerce, said that business, not government, knows best how to protect their information networks. Ridge said the so-called "light-touch" approach to developing standards could easily segue into onerous regulations. "A light touch can turn into a stronghold," he said. "It's a slippery slope that I'm most concerned about."
Strengthening Economic Prosperity
Collins expressed disappointment with the chamber's view, saying she feels the sponsors' approach to allowing businesses to establish cybersecurity standards resulted from the lawmakers listening to business. She said the bill opposes efforts to expand regulation that would burden the American economy. "Regulations that are necessary for our national security and that promote - rather than hinder - our economic prosperity strengthen our country," she said.
Another witness, former Homeland Security Assistant Secretary for Policy Stewart Baker, said the sponsors might have gone too far to accommodate the owners of the critical infrastructure. Infrastructure owners, when assessing risk, look at how it would benefit their businesses and not necessarily how it would protect the nation, so some regulation might be needed, Baker said. He also said that it could take eight to 10 years for businesses to establish the proper security standards to defend against a digital assault, and suggested the bill be amended to allow the government to get businesses to speed up the process.
"If there was one change that I would make to this bill is to put in a provision that says in an emergency, where there really is an immediate threat to life and limb, the secretary has the ability to compress all of the time frames and to move quickly from stage to stage," Baker said. "If we only have a week to get the grid protected, she's in the position to tell the power companies, 'You be here on Tuesday and bring your best practices because by Friday you're going to have to start implementing them because we know there's an attack coming this week.' That is something that we need to be able to do and have the flexibility to do."
James Lewis, cybersecurity thought-leader at the Washington think-tank Center for Strategic and International Studies, said American businesses already have experienced cyberattacks and proper safeguards must be enacted, especially for critical infrastructure. "National security requires holding critical infrastructure to a higher standard than the market will produce," Lewis said. "The main event is regulating critical infrastructure for cybersecurity. Without this, everything else is an ornament and America will remain vulnerable. Low hanging fruit will not make us safer. And, if you took the section on critical infrastructure out of this bill, you would get a car without an engine."