Cybersecurity Bill in U.S. Senate Calls for Industry Rules
Companies running computer networks essential to U.S. economic and national security would be required to better defend their systems from spies, hackers and terrorists under bipartisan Senate legislation unveiled today.
The bill calls for identifying vital information networks and setting security requirements for companies and government agencies. Lawmakers and regulators say rules are needed to fight increasingly sophisticated cyber attacks capable of disrupting power grids, banks and communications networks.
“We are on the brink of what could be a calamity,” Senator Jay Rockefeller, a West Virginia Democrat, said in announcing the bill on the Senate floor. “A widespread cyber attack could potentially be as devastating to this country as the terror attacks that tore apart this country 10 years ago.”
The push for comprehensive cybersecurity legislation has intensified following attacks last year on companies including New York-based Citigroup Inc. (C), the third-largest U.S. bank by assets, and Bethesda, Maryland-based Lockheed Martin Corp. (LMT), the world’s largest defense company.
Senate Majority Leader Harry Reid, a Nevada Democrat, has said he wants to bring the bill to the chamber’s floor for a vote as soon as possible. The Senate Homeland Security and Governmental Affairs Committee scheduled a Feb. 16 hearing on the measure backed by Senators Joe Lieberman, a Connecticut Independent, and Susan Collins, a Maine Republican.
The Senate bill introduced today may affect computer security spending at businesses including Southern Co. (SO), the largest U.S. utility owner by market value, and AT&T Inc. (T), the nation’s biggest telephone company.
The legislation combines elements of cybersecurity bills introduced in the past three years into one measure. Industry groups have criticized its broad approach, saying it may raise costs for companies and be too prescriptive.
“We settled on a plan that creates no new bureaucracy or heavy-handed regulations,” Rockefeller said. “It’s premised on companies taking responsibility for securing their own networks.”
A Bloomberg Government study released Jan. 31 found that utilities, banks and other operators of critical networks would have to spend almost nine times more on computer defenses to achieve security capable of preventing 95 percent of attacks, an increase to $46.6 billion a year from about $5.3 billion.
The study, conducted by the Ponemon Institute LLC, a Traverse City, Michigan-based security-research firm, was based on interviews with technology managers at 124 companies and 48 government agencies.
Under the legislation, the Homeland Security Department would have the power to identify systems that may cause mass casualties or catastrophic economic damage when attacked. The agency would set regulations requiring operators of critical networks to improve security. Companies would have to show that their networks are secure or face penalties.
The U.S. Chamber of Commerce, the nation’s largest business-lobbying group, urged lawmakers last week to delay consideration of the bill and called for hearings before any floor vote, citing concerns about added expenses for companies.
“Rushing forward with legislation that has not been fully vetted would be a major mistake,” Bruce Josten, the Chamber’s executive vice president of government affairs, wrote in a Jan. 30 letter to Reid and Senate Minority Leader Mitch McConnell, a Kentucky Republican.
Government rules typically can’t keep pace with fast- changing technology and evolving cyberthreats, Kevin Richards, senior vice president of federal government affairs for TechAmerica, a trade association, said in an interview.
“There are two cardinal rules when it comes to the tech community,” said Richards, whose Washington-based group’s members include Apple Inc. (AAPL), International Business Machines Corp. (IBM) and Dell Inc. (DELL) “First is the rule of do no harm. Second is beware of unintended consequences.”
Seven Senate Republicans sent a letter to Reid today expressing reservations about his plans for swift action on the measure by the full chamber. The letter was signed by Kay Bailey Hutchison of Texas, John McCain of Arizona, Charles Grassley of Iowa, Saxby Chambliss of Georgia, Lisa Murkowski of Alaska, Jeff Sessions of Alabama and Mike Enzi of Wyoming.
The debate over cybersecurity legislation is unfolding amid increased concerns that U.S. networks are vulnerable to theft and sabotage. Hackers from China and Russia are pursuing American industrial secrets, jeopardizing an estimated $398 billion in U.S. research, according to a Nov. 3 report from the National Counterintelligence Executive, an advisory panel of senior U.S. security officials.
Companies with payroll and other corporate accounts lose about $1 billion a year because of hackers based mostly in Eastern Europe, according to security specialist Don Jackson of Dell SecureWorks. Hackers sell stolen credit-card data for as little as $3.50 per card on underground bazaars, an investigation by Bloomberg News showed last year.
More than 80 U.S. law firms have been targeted by China- based hackers intent on acquiring their clients’ deal data to give Chinese companies an edge in investments and negotiations, according to Mandiant Corp., an Alexandria, Virginia-based cybersecurity firm.
“There is disagreement about when hackers will disrupt critical infrastructure in the United States but most experts put it within the next couple of years,” James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies in Washington, told the House Energy and Commerce Communications and Technology Subcommittee during a Feb. 8 hearing.
The Chamber and TechAmerica say they favor legislation that relies on incentives, rather than rules, to improve security. Republicans in the U.S. House of Representatives are pursuing smaller, targeted bills rather than the comprehensive approach taken in the Senate.
“I don’t want to get bogged down with a giant bill,” Representative Greg Walden, an Oregon Republican, said in an interview Feb. 8.
An 11-page bill from Representative Mike Rogers, a Michigan Republican, would let the government disclose classified cyberthreat data to companies in sensitive industries and shield businesses from lawsuits when they act in good faith to protect their networks.
A separate 45-page measure from Representative Dan Lungren, a California Republican, would create a federal organization to promote information-sharing on cyberthreats. It would let the Homeland Security Department identify risks to networks and develop security measures, without giving the agency new regulatory powers.
Walden, who leads the House Energy and Commerce Communications and Technology Subcommittee, said he will consider taking up a bill offering companies incentives that may also include tax breaks.
“If we do this in an incorrect way we actually hurt the ability of the private sector,” he said.
The government and companies should work together to map out computer security deficiencies rather than impose a broad regulatory framework, Robert Dix, vice president of government affairs for Sunnyvale, California-based Juniper Networks Inc. (JNPR), said in an interview Feb. 8.
“Let’s take the chewable bites,” said Dix, whose company makes computer hardware and software. “Let’s pass it, get traction and then build on it.”
The Senate bill is S. 2105. The Rogers bill is H.R. 3523, and the Lungren bill is H.R. 3674.
To contact the reporter on this story: Chris Strohm in Washington at email@example.com
To contact the editor responsible for this story: Michael Shepard at firstname.lastname@example.org