Cybersecurity legislation is officially in play, thanks to a last-ditch effort by the sponsors of a revised comprehensive cybersecurity bill (PDF) in the Senate (S 3414). The sponsors, who include Senate Homeland Security Chairman Joe Lieberman, I-Conn., ranking member Susan Collins, R-Maine, and Commerce Chairman Jay Rockefeller, D-W.Va., have unveiled a new version of the bill that is expected to form the basis of floor debate, as soon as next week. Unlike its predecessor (S 2105), the new bill does not include any mandatory security standards for the private sector networks deemed crucial to national security. Instead, a multi-agency council would approve cybersecurity standards developed by private industry groups. Companies that prove they comply with those standards would then be eligible for liability protections, expedited security clearances and "priority assistance" from the government on cyber-issues.
Since the new bill finally abandons the idea of regulations for critical infrastructure providers, it appears likely to win over enough GOP support to break a filibuster and come to the floor for a vote. The outcome remains uncertain, but the sponsors have undertaken extraordinary efforts to win over their critics, including privacy advocates such as the Center for Democracy and Technology and the ACLU. Those groups and others have raised privacy concerns about the information sharing portions of both Senate bills (S 2105, S 2151) and CISPA (HR 3523), which passed the House earlier this year. The new legislation would ensure companies give their cybersecurity information directly to civilian agencies and not the military — and it restricts use of that data only to cybersecurity purposes or protecting people from imminent threat of physical harm or death.
This latest legislation is clearly a carefully crafted attempt to appease critics with something that can potentially be enacted into law this year. While the bill doesn't include security mandates, Lieberman noted it leaves the door open for a future Congress to come back and strengthen its requirements if needed. Despite lacking those mandates, the legislation also goes farther than CISPA to protect U.S. networks, making it the choice among cybersecurity experts and others concerned about the threat of a catastrophic cyberattack. But first the legislation must gain passage in the Senate, which appears likely, and at least draw interest in the House, a considerably more difficult proposition. Given their previous activity on cybersecurity legislation, House leaders may be willing to set up a conference committee with the Senate and hammer out a deal on this critical national security issue. With regulations for critical infrastructure providers shelved for the moment, that conversation would likely be more amicable than at any other time in recent memory.
Quotable: “This compromise bill creates a public-private partnership to set cybersecurity standards for critical American infrastructure, and offers the reward of some immunity from liability to those who meet those standards. In other words, we are going to try carrots instead of sticks as we begin to improve our cyber defenses. This compromise bill will depend on incentives rather than mandatory regulations to strengthen America's cybersecurity. If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system. While the bill we introduced in February is stronger, this compromise will significantly strengthen the cybersecurity of the nation’s most critical infrastructure and with it our national and economic security." — Sen. Lieberman Lawmaker Says Drones May Threaten Privacy: Rep. Henry Cuellar, D-Texas, suggested Thursday that Congress "probably" needs to look at passing legislation to protect privacy because of the expanded use of unmanned aerial vehicles (UAVs) or drones in the U.S. The Federal Aviation Administration reauthorization law passed earlier this year directed the agency to integrate drones into U.S. airspace by 2015, but had no specific privacy provisions for those drones, which are often used for surveillance purposes. His comments came at a Thursday hearing on the Department of Homeland Security's role in governing drones. Lawmakers Say Leaks Didn't Come From Pentagon: The leaders of the House Armed Services panel said Thursday after a classified hearing that they were satisfied a recent series of intelligence leaks did not emanate from the Pentagon. The leaks, involving classified drone strikes and cyberweapons programs, have prompted outrage from Congress, and accusations from Republicans that they were authorized by the White House for political purposes. The three-hour closed door hearing with Defense Secretary Leon Panetta and Chairman of the Joint Cheifs of Staff Martin Dempsey convinced the lawmakers that the Pentagon has taken steps to quash leaks and was investigating their origin. Senate Panel Approves Surveillance Law: The Senate Judiciary Committee approved the extension of a law that allows the warrantless surveillance of foreign targets, even those in communication with U.S. citizens. The measure passed by a 10-8 vote along party lines after the new version moved up the proposed sunset by two years from June 2017 to June 2015. Two House Committees have approved extending the law until 2017, but chairman Patrick Leahy, D-Vt., termed that period too long. Sen. Ron Wyden, D-Ore., has threatened to place a hold on the bill until more information is provided about how many U.S. citizens have been affected by its provisions. Internet Defense League Focused on Privacy, Free Speech: A new coalition of online activists, tech companies, and advocacy groups are sought to build on the momentum of the SOPA/PIPA fight earlier this year by launching the Internet Defense League on Thursday. The coalition will work to mobilize Internet users on issues of free speech and privacy — topics that will likely take center stage during the upcoming legislative debates over cybersecurity and privacy. Members of the group have already expressed concern about some of the cybersecurity bills in front of Congress, as well as trade negotiations such as the Trans-Pacific Partnership. Lawmakers showing support for the coalition included key SOPA opponents Wyden, Rep. Darrell Issa, R-Calif., and Rep. Jared Polis, D-Colo. The Senate Judiciary Subcommittee on Privacy held a hearing on facial recognition technology earlier this week; transcript available here. CRS Report on China, Internet Freedom and U.S. Policy available here (PDF).