6 Key Cybersecurity Bills Before CongressDo Lawmakers Have Bandwidth to Enact Measure in 2010?
Of these cybersecurity measures, only one bill has passed either chamber; in February, the House of Representatives overwhelmingly approved the Cybersecurity Enhancement Act. And just one significant IT security bill has made it to the full Senate, the Cybersecurity Act, which cleared a Senate panel on a voice vote last month. The other bills remain in committee.
Most of the bills have some overlapping provisions, but except for the International Cybercrime Reporting and Cooperation Act that have twin Senate and House versions, none of the bills are identical.
What follows are brief descriptions of each of these cybersecurity bills and their respective status. (This list does not include the International Cyberspace and Cybersecurity Coordination Act of 2010, which Sens. John Kerry, D.-Mass., and Kristen Gillibrand, D.-N.Y., introduced Monday.)
H.R. 4061 : Cybersecurity Enhancement Act of 2010, sponsored by Rep. Daniel Lipinski, D.-Ill., passed the House on Feb. 4. The measure - assigned to the Senate Commerce, Science and Transportation Committee - promotes the development of a skilled cybersecurity federal workforce, coordinate and prioritize federal cybersecurity research and development, improve the transfer of cybersecurity technologies to the marketplace and promote cybersecurity education and awareness for the public. It also would strengthen the role of the National Institute of Standards and Technology in shaping the way the federal government and the nation address cybersecurity. H.R. 1051 would order NIST to develop and implement a public cybersecurity awareness and education program to encourage the more widespread adoption of best practices.
S 773: Cybersecurity Act of 2010, sponsored by Sens. Jay Rockefeller, D.-W.Va., and Olympia Snowe, R.-Maine, requires the president to work with the private sector to develop a comprehensive national cybersecurity strategy for the nation and establish a cybersecurity advisory panel of outside experts from industry, academia and non-profit advocacy organizations to advise him on cybersecurity related matters. The bill - which cleared the Senate Committee on Commerce, Science and Transportation on March 24 - delegates NIST as the United States' representative in the development of international cybersecurity standards. Other provisions would require periodic appraisals of the nation's cybersecurity posture, promote cybersecurity education, awareness and research and development. It also would establish a board to standardized secure computer products for federal acquisition.
Rockefeller and Snowe have a companion bill - S. 788, assigned to the Committee on Homeland Security and Governmental Affair - that would establish within the Executive Office of the White House the Office of National Cybersecurity Adviser.
S. 921: United States Information and Communications Enhancement Act, or U.S. ICE primarily would update the 8-year-old Federal Information Security Management Act, which provides the blueprint for federal departments and agencies to secure their IT assets. Sen. Tom Carper, the Delaware Democrat who chairs the Senate subcommittee with cybersecurity oversight, is the bill's chief sponsor. The measure was assigned to the Committee on Homeland Security and Governmental Affairs.
The original version of U.S. ICE introduced nearly a year ago, like S. 788, would have established a White House office to oversee cybersecurity, but that provision was excised in a revision approved last summer. The revision gives the Department of Homeland Security more sway in managing cybersecurity among federal executive departments and agencies. Though the Office of Management and Budget would retain final say over agencies' cybersecurity budgets, the revised bill provides for DHS to review all departmental and agency cybersecurity spending plans and forward its recommendation to OMB.
H.R. 4900: Federal Information Security Amendment Act, sponsored by Rep. Diane Watson, D.-Calif., is similar to U.S. ICE since both measures are aimed at updating FISMA. The major difference between the two bills is that the House version places cybersecurity authority in the White House whereas the Senate measure grants much cybersecurity governance clout in DHS. Among other provisions of H.R. 4900: Establish a National Office for Cyberspace in the White House whose Senate-confirmed director would chair a newly created Federal Cybersecurity Practice Board to develop the processes agency would follow to defend their IT systems.
The bill also would establish requirements for agencies to undertake automated and continuous system monitoring to identify system compliance, deficiencies and potential risks, require agencies to conduct regular evaluations of their systems and obtain an annual, independent audit of their IT programs to determine their overall effectiveness and compliance with FISMA requirements. It also would establish requirements for the purchase of secure commercial, off-the-shelf IT products and services as well as policies for mitigating supply chain risks associated with those products.
S. 3155 and H.R. 4692: International Cybercrime Reporting and Cooperation Act were introduced in both chambers late last month by Rep. Yvette Clarke and Sen. Kristen Gillibrand, both New York Democrats. The legislation would require the president to provide a global assessment of identity threats from abroad and work with other countries to crack down on their own cyber criminals. The bills provide for financial sanctions to be imposed on countries that do not cooperate.
The Senate bill was assigned to the Foreign Relations Committee; the House measure was assigned to the Foreign Affairs, Ways and Means and Financial Services.
S. 1438: Fostering a Global Response to Cyber Attacks Act was introduced by Gillibrand and assigned to the Foreign Relations Committee. This bill would require the Secretary of State to submit a report to Congress on improving cybersecurity, encourage international cybersecurity cooperation and develop safeguards to protect privacy, freedom of speech, and commercial transactions for inclusion in cybersecurity agreements.
A long-time leader in Congress on information technology and chairman of the Senate Committee on Homeland Security and Governmental Affairs, Joseph Lieberman, has promised to introduce his version of a comprehensive cybersecurity bill. A possible hold up on the bill's introduction is that the ranking Republican on the panel, Susan Collins of Maine, wants to place the top cybersecurity official in the Department of Homeland Security, a position not necessarily favored by the Connecticut Independent-Democrat who chairs the committee.
Bipartisan support is crucial for any bill to have a chance to be enacted. Indeed, cybersecurity has proven to be one of the rare areas within Congress where Democrats and Republicans agree. Differences on approaches - such as whether to grant additional cybersecurity powers to DHS - aren't seen as partisan but personal approaches.
Even with the absence of partisanship, chances of passage of a comprehensive cybersecurity legislation in the 111th Congress diminishes with each passing day. Besides the November election, other matters that will take up lawmakers' bandwidth in the coming months are financial reform, job creation, nuclear proliferation and the confirmation of a new Supreme Court associate justice to replace the retiring John Paul Stevens.
If no significant cybersecurity legislation passes this year, lawmakers efforts this year aren't for naught. They should serve as the foundation for action to be taken in the first session of the 112th Congress that convenes in January.