Note: This was co-authored by Sens. John D. Rockefeller IV, (D-W.Va.), Joe Lieberman (I-Conn.), Susan Collins (R-Maine), and Dianne Feinstein (D-Calif.). In February, these four senators jointly sponsored the Cybersecurity Act of 2012, a bill that has been in the works for more than three years.
Every day, rival nations, criminal syndicates and maybe even terrorists probe for weaknesses in our most critical computer networks, seeking to steal data, money, and identities. Even more dangerous is their potential to plant malicious code in industrial control systems that would allow them to seize control of a region’s electric grid, crash stock markets, or contaminate water supply with the touch of a key from a world away.
It feels like we’re back to the days before September 11, 2001. The system is blinking red. Yet, we are failing to connect the dots–again.
In a letter last year to Senate leadership, former Homeland Security Secretary Michael Chertoff and Defense Secretary William Perry, along with six of our nation’s premier security experts, spanning Democratic and Republican Administrations, issued a stark warning: “[The] constant barrage of cyber assaults has inflicted severe damage to our national and economic security, as well as to the privacy of individual citizens. The threat is only going to get worse. Inaction is not an acceptable option.”
We agree it is time to take action. To counter these threats, we have introduced the comprehensive, bipartisan Cybersecurity Act of 2012 (PDF). Our bill has several key provisions.
First, it ensures that the systems that control our most critical infrastructure are secured. These are the systems that if breached or manipulated could reasonably lead to mass casualties, evacuations of major population centers, the collapse of financial markets, or degradation of our national security. A competing bill recently introduced in the Senate contains no provisions whatsoever to protect critical infrastructure. That is a major omission.
After identifying these precise systems, the Department of Homeland Security would then work with private-sector owners of these vital systems to develop cybersecurity performance requirements based on risk assessments of those particular industries. Covered entities must meet these performance requirements for specific systems and assets, not for their entire company.
Owners would have the flexibility to meet those performance requirements with whatever cybersecurity measures they choose as long as it achieves the required level of security. DHS will not be picking technological winners and losers, and there is nothing in this bill that would stifle innovation. Leading global information companies have even stated that that this legislation “includes a number of tools that will enhance the nation’s cybersecurity, without interfering with the innovation and development processes of the American IT industry.”
And if a company already has security levels that meet the requirements, it will be exempt, and entities already adequately regulated will receive waivers.
Data sharing between feds, private sector
This bill also establishes mechanisms for information sharing between the private sector and the federal government – and among private sector companies. This is important — computer security experts need to be able to compare notes in order to protect us against the ever-evolving threat. But the bill also creates security measures and oversight to protect privacy and preserve civil liberties.
We have worked hard to address the concerns of privacy and civil liberties advocates and believe our approach offers some of the strongest protections of any proposal being discussed in Congress.
Besides securing critical infrastructure, this bill does several other important things: It provides for a cybersecurity research and development program to further strengthen our computer defenses; improves the security of the federal government’s computer networks by moving to a system of continuous monitoring and “red-teaming” exercises to test for vulnerabilities, and strengthens the federal cybersecurity workforce by making sure we can offer competitive salaries to recruit and retain some of the best minds in the business.
This bipartisan bill has been at least three years in the making, with some 20 hearings held across seven different Senate committees, including at least 13 in our committees: the Homeland Security and Governmental Affairs Committee, the Commerce Science and Transportation Committee, and the Select Intelligence Committee. Homeland Security and Commerce each passed comprehensive cybersecurity bills in the last Congress. We have reached out to industry, academics, and civil liberties, privacy, and security experts for advice. Hundreds of changes have been made to this bill as a result of their input.
There is a myth that earlier versions of this bill contains a “kill switch” that would allow the president to seize control of the Internet. There is nothing remotely like that in this bill.
There is also nothing in this bill that touches on the balance between intellectual property protections and free speech that inflamed public opinion over the proposed “Stop Online Piracy Act,” or the “Protect IP Act.” This legislation will not regulate the design or architecture of the Internet. This bill is focused on protecting our most critical infrastructure systems and assets–those that keep the water flowing, the power on, and the trains running.
September 11 reinforced the need to stay one step ahead of those who would do us harm. Now we must apply those lessons to cybersecurity. If we fail to act, we only increase the likelihood that we will have to cope with the aftermath of a massive cyber attack.”