Obama Calls for Passage of Cybersecurity ActRevised Bill Seen as Less Robust than an Earlier Draft
As the Senate debate begins on the Cybersecurity Act of 2012, President Obama has endorsed the measure despite revisions from an earlier version that would have allowed the federal government to regulate the mostly privately owned critical national IT infrastructure.
"While lacking some of the key provisions of earlier bills, the revised legislation will provide important tools to strengthen the nation's response to cybersecurity risks," a Statement of Administration Policy says.
In the statement, the administration laments that the revised bill contains critical-infrastructure protection measures that it deems are less robust than in an earlier draft. "But," the statement says, "[it] would still produce meaningful cybersecurity improvements." [See Senators Purge Regulations from Cybersecurity Bill.]
The original bill called on the federal government, working with private-sector stakeholders, to develop security standards it could impose on critical infrastructure providers. But sponsors of the bill backed off any type of regulation in order to get Republican support for the measure. Instead, the bill calls on the use of incentives to get private-sector owners of the infrastructure to implement sound security practices.
Still, the White House statement says the administration would not support amendments that would weaken the critical infrastructure protection measures in the legislation, including reducing the federal government's existing roles and responsibilities in coordinating and endorsing the outcome-based cybersecurity practices; weakening the statutory authorities of the Department of Homeland Security to accomplish its critical infrastructure protection mission or substantially expanding the narrowly tailored liability protections for private sector entities.
"While liability limitations are necessary to encourage information sharing," the statement says, "overly broad immunities from legal obligations would undermine the very trust that the bill seeks to strengthen."
The information technology industry generally likes the bill, but seeks changes, including provisions that would strengthen liability protections when sharing cyberthreat information with government and other businesses.
"The bill even burdens those wishing to share information with another private entity by providing that the sender may not disclose cybersecurity threat indicators to another private entity that it knows is reasonably likely to violate provisions of the title," Larry Clinton, chief executive of the industry group Internet Security Alliance, says in a statement. "Without a further definition of reasonably likely, institutions that would like to disclose will not disclose because they will be unable to identify those institutions that fall into this category and increases the uncertainty around liability."
The administration statement says the White House appreciates what it characterizes as the bill's strong protections for privacy and civil liberties and would not support amendments that would weaken these protections.
"It is essential that the collection, use and disclosure of such information remain closely tied to the purposes of detecting and mitigating cybersecurity threats, while still allowing law enforcement to investigate and prosecute serious crimes," the statement says. "All entities - public and private - must be accountable for how they handle such data. ... The administration is confident that S. 3414 can improve the nation's cybersecurity while protecting the privacy, confidentiality and civil liberties that are central to American values."
Presidential advisers identify what they consider some flaws in the bill, which would create an interagency National Cybersecurity Council to coordinate the identification of voluntary cybersecurity practices for critical cyber infrastructure. As currently drafted, the White House says, the structure of the council raises constitutional concerns and should be amended to employ an administrative structure similar to that of other recently established councils.
The White House also questions provisions in the bill it says purports to prescribe the executive branch's responsibilities in coordinating with foreign governments and conducting diplomatic negotiations. The administration calls on the Senate to clarify these provisions to maintain the president's exclusive constitutional authority to conduct diplomacy.