Senators introduce new cybersecurity bill

Under proposed legislation, DHS would decide what firms are "critical infrastructure" and require them to meet security standards.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

A group of senators today introduced a bipartisan cyber security bill that includes some new regulation requirements but does not give the president emergency authorities to interfere with the Internet as a previous version did.

The Cybersecurity Act of 2012 calls for the Department of Homeland Security (DHS) to assess risks and vulnerabilities of computer systems running at critical infrastructure sites such as power companies and electricity and water utilities and to work with the operators to develop security standards that they would be required to meet.

The DHS would determine which companies fit the definition of critical infrastructure as defined by systems "whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life." Companies would have the right to appeal the designation, under the measure introduced by Sens. John D. (Jay) Rockefeller IV, (D-West Virginia), Joe Lieberman (I-Connecticut), Susan Collins (R-Maine) and Dianne Feinstein (D-California).

Owners or operators of critical infrastructure systems would need to determine how to best meet performance requirements and to verify that that they were doing so, with owners having the ability to either "self-certify" compliance or use a third-party assessor.

There also are provisions for information sharing between the government and the private sector that maintain civil liberties. And DHS would consolidate its cybersecurity programs into a National Center for Cybersecurity and Communications office.

The proposed law "is the product of three years of hearings, consultations, and negotiations," the statement announcing the measure says. "The bill envisions a public-private partnership to secure those systems, which, if commandeered or destroyed by a cyber attack, could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security."

Still smarting from the recent derailing of the controversial Stop Online Piracy Act (SOPA) following public protests and vehement opposition from tech and Internet firms, including many that staged a one-day site blackout. Critics complained that SOPA would have allowed the U.S. government to order Internet service providers to all but eliminate Web sites that allegedly contain pirated material.

In introducing the new cybersecurity legislation, the sponsors said the measure "in no way resembles the Stop Online Piracy Act or the Protect Intellectual Property Act [the House of Representatives version], which involved the piracy of copyrighted information on the internet. The Cybersecurity Act involves the security of systems that control the essential services that keep our nation running--for instance, power, water, and transportation."

And the sponsors noted that in the interest of moving the "legislative process forward," they have not included emergency authorities for the president or included a provision to create a special White House cybersecurity office.

No doubt there will be detractors. The U.S. Chamber of Commerce is one of them.

"Gov. Tom Ridge, the chairman of the Chamber's National Security Task Force, will be testifying on Thursday before the Senate," Chamber spokesman Bobby Maldonado wrote in an e-mail to CNET. "His testimony will be consistent with our January 30 letter to Senate Leaders Reid and McConnell. The Chamber is not supportive of a core component of the new bill -- a regulatory 'covered' critical infrastructure (CCI) program. Instead, we believe that Congress should continue to develop information-sharing legislation that will produce more immediate improvements to American's security and that has robust protections for the business community."

Industry opposition to regulation provisions has been a debate point that has held up cyber security legislation. Meanwhile, a controversial "kill switch" provision that critics said could led to a government mandated Internet shut down, was removed a year ago.

Last May, the White House sent a proposed cybersecurity law to Congress. Increasing reports of hacking risks and flaws in software used in systems controlling critical infrastructure lend a sense of urgency to the cause.