WSJ: Cybersecurity Bills Duel Over Rules for Firms

http://online.wsj.com/article/SB10001424052970203961204577269832774110556.html

March 9, 2012

Cybersecurity Bills Duel Over Rules for Firms

By SIOBHAN GORMAN

WASHINGTON--A bipartisan Senate bill to bolster cybersecurity has sparked a competing proposal from Republicans wary of new regulations for businesses, a signal that burgeoning anti-government fervor has begun shaping national-security measures.

The White House-backed proposal would require companies that own computer networks integral to key critical infrastructure like electric-power systems and nuclear reactors to meet certain cybersecurity standards. Sponsors include the chairman and ranking member of the Homeland Security panel, Sens. Joseph Lieberman (I., Conn.) and Susan Collins (R., Maine).

The Republican alternative, unveiled last week, omits provisions for critical infrastructure security and instead focuses on creating better mechanisms for the sharing of cyberthreat information between the government and industry.

The bills' future will likely depend on whether the debate is seen as one primarily about national security or economic growth, congressional and industry officials say.

"Is this a national-security conversation or is this an economic-prosperity conversation?" said one telecommunications-industry official, who favors the Republican bill. "It's not about building a new battlefield."

Election-year politics could derail enactment of any cybersecurity measure, but lawmakers and industry officials increasingly say they believe Congress will pass a bill. The competing measures are expected to reach the Senate floor soon.

Much of the debate so far has focused on whether proposed new regulations would be too onerous and costly for the private sector. Business interests have played a key role in crafting both proposals.

The bipartisan bill would create a new regulatory regime. The Homeland Security Department would work with industry to determine which computer systems within companies were running infrastructure where a cyberattack would be catastrophic.

For those companies, Homeland Security and industry representatives would establish required standards. The regime would be overseen either by relevant federal regulators--for instance, the Federal Energy Regulatory Commission in the case of electric utilities--or by Homeland Security.

Congressional officials said they have incorporated thousands of changes into the bipartisan legislation to address business concerns. For example, they have included waivers for industries that show they have met security standards, and have said that Homeland Security would oversee the standards only for industries not already regulated by another agency.

"This bill actually takes a really innovative approach to regulation," said James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies who has advised the White House.

The White House-backed bill also has measures that aim to improve threat data-sharing, like the GOP bill.

Republicans have promoted their proposals as an effort to improve security without placing new requirements on the private sector.

"Some may say our bill doesn't go far enough, because it does not impose layers of regulation on critical infrastructure," said Sen. Saxby Chambliss (R., Ga.) recently at the Republican bill announcement. "Private-sector innovation is the engine that drives our economy today, and more government is seldom the solution to any problem."

The GOP bill has drawn significant industry support. The U.S. Chamber of Commerce is expected to support the framework of the bill. It backs "the overarching principles behind the nonregulatory approach to cybersecurity policy," said Chamber spokesman Bobby Maldonado.

Industry representatives who oppose new cybersecurity requirements, however, are beginning to discuss what regulations they might be willing to accept, a telecom industry official said.

"If it's crammed down our throats, what would we be OK with swallowing?" the telecom official said, describing the process. "You're preparing for the worst case."

The White House sought this week to refocus the debate on national security. Officials deployed a small army of top intelligence and national-security officials to meet with senators to warn about inadequacies of the current system and explain why cybersecurity standards would improve security.

To make their point, they played out a hypothetical situation of a cyberattack on the power grid in New York.

"It was really pointing out this is a security bill," said Homeland Security Secretary Janet Napolitano, who was part of Wednesday's briefing, in an interview. "That we're being attacked now and that we haven't had a catastrophic attack, but we shouldn't wait until there is one to address the problem legislatively."

White House officials said cybersecurity standards are essential to protecting the nation. "As long as there are weak links in the core critical infrastructure, there's a risk for everybody," said Howard Schmidt, the White House cybersecurity chief, adding that even seemingly small intrusions can escalate into large problems.

Sen. Chambliss said the briefing didn't sway him from the Republican approach. "The case has not been made, especially in these difficult economic times, that more government regulation of critical infrastructure will clearly improve, rather than hinder, our cybersecurity," he said.

Some cybersecurity specialists say the drafters of the White House-backed bill have already undermined the security provisions in making accommodations to business interests.

For example, changes in the bill that raised the threshold for determining which computer systems would be required to meet the new-standards regime now leave out many critical systems, said Alan Paller, director of research for the SANS Institute cybersecurity firm. "That's a stellar example of how business can disembowel an important piece of legislation," he said.

Write to Siobhan Gorman at siobhan.gorman@wsj.com

A Virtual Contest | Provisions of two measures

CYBERSECURITY ACT OF 2012

White House-backed bill, sponsored by Sens. Susan Collins (R., Maine), Joseph Lieberman (I., Conn.) and others.

Critical Infrastructure: Bill requires that company computer systems involved in vital functions meet standards set by the Homeland Security Department and industry.

Information Sharing: Removes legal barriers to sharing cyberthreat data between the government and private companies, and provides liability protection to companies.

Government Networks: Aims to bolster government computer security, such as continuous monitoring of networks for security gaps.

SECURE IT ACT OF 2012

GOP bill, sponsored by Sen. John McCain (R., Ariz.) and others.

Information Sharing: Also removes legal barriers to sharing threat data and provides liability protection. Requires contractors to share data with the government related to their services.

Government Networks: Also aims to bolster government computer security.

Criminal Penalties: Expands penalties for cybercrime, particularly against critical infrastructure.

Source: U.S. Congress, WSJ research