Cybersecurity Bill Approved with Several Amendments at Markup
Critics of expanded federal authority over private networks came up short with an effort to draw bright-line restrictions in the Cybersecurity Act (S-773), approved by the Senate Commerce Committee with several amendments at a short markup Wednesday. Sponsors emphasized that the bill would keep changing as it moved out of committee and indicated they disagreed with each other on core provisions, including what kind of regulations to apply to network and infrastructure owners. Chairman Jay Rockefeller, D-W.Va., called the bill “preemptive” to protect the country but “basic,” lacking many details despite having gone through four drafts.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
It has been a long haul for the bill, which drew early controversy for a “kill switch” provision that many interpreted as giving the president authority to cut off the Internet in an emergency. Rockefeller and Sen. Olympia Snowe, R-Maine, the lead sponsors, emphasized that the provision had been dropped from the latest draft (CD March 18 p9). The committee ignored a handful of amendments to clarify that the bill doesn’t expand authority on other points.
"It’s almost like we're starting in kindergarten on this subject,” Rockefeller said, despite cybersecurity’s having been made a top priority by intelligence chiefs and the most recent two administrations and “years of consultations” with businesses, civil-liberties groups and others. “The nation doesn’t know anything about it.”
Ranking Member Kay Bailey Hutchison, R-Texas, thanked Rockefeller for including her amendments on research and development, scholarship programs and others in the manager’s package. But she was wary of audit and compliance requirements on businesses, a provision that brought criticism from tech groups (WID March 24 p4). “Mandates on training for a small part of the workforce” are burdensome and not necessarily effective, she said. “That linkage has not been established in my mind.” But she said qualms could be dealt with after the committee passed the bill.
"This is the beginning of this effort,” which will cut across committee lines, Snowe said. The Homeland Security and Governmental Affairs Committee is considering a complementary bill (S-778), also sponsored by Rockefeller and Snowe, to create a White House Office of National Cybersecurity Advisor, whose chief would need Senate confirmation. It hasn’t moved in nearly a year. Without the confirmation requirement, the Senate can’t tell the adviser, now Howard Schmidt, to come to the Hill, Snowe said. And the job needs “institutional heft,” she said.
S-773 gives specified departments a year to come up with a cybersecurity strategy, and “we'd better get it done before a year because our enemies are out there,” said co-sponsor Sen. Bill Nelson, D-Fla. The sponsors noted that they're all on the Intelligence Committee. “We understand the gravity of this threat,” Snowe said. The government’s approach to cybersecurity has been “little more than a reactive hodgepodge” of mandates and bureaucracy, and S-773 would give business incentives to innovate, provide a “clearinghouse” to clarify public and private roles, and share classified information with network owners, she said. The China-traced cyberattacks on Google will be “just the tip of the iceberg” without a comprehensive approach, Snowe said.
Sen. Maria Cantwell, D-Wash. and a former RealNetworks executive, said the sponsors have a “unique perspective” from their Intelligence Committee work and she thanked them for including her amendments relating to industrial control systems. Cantwell said had withdrawn amendments in the expectation they would be discussed as the bill moves along. But she said the bill isn’t technology-neutral. “We can’t have” the National Institute of Standards and Technology “or anyone in the federal government picking technology winners and losers."
The committee approved 15 of 28 amendments, the amended bill and the rest of the day’s committee business in one vote. Amendments by Cantwell would declare modern industrial-control systems to be “information systems,” authorize a two-year National Science Foundation grant program for cybersecurity curricula in control systems and make timelines in the bill more consistent. Hutchison’s would change the definition of critical infrastructure, set performance standards for scholarship winners to get “competitive service positions,” require computer or math proficiency to get scholarships, require additional detail in “collaborative response plans” and prohibit regional cybersecurity centers from competing with business services. Two amendments by Sen. Amy Klobuchar, D-Minn., would ensure that federal, state and local law enforcement are involved and would broaden the FCC’s consideration of cybersecurity in its broadband plan. An amendment by Sen. Tom Udall, D-N.M., says consumer education and digital literacy programs can improve cybersecurity by dealing with “human factors” in vulnerabilities. One by Sen. Mark Warner, D-Va., would have NIST identify appropriate authentication technologies based on the “necessary level of functionality and privacy protection” in a particular application.
Amendments putting limits on federal authority weren’t adopted. They included a slew by Cantwell that would make regulation of infrastructure owners vary by how large the businesses are, specify that sector coordinating councils have no “delegated federal authority” and make it “abundantly clear” that the president has no expanded powers in an emergency response role. The latest draft says the president won’t get new authority under that section, which at first set off alarms about what’s called a kill switch. Amendments by Cantwell to require NIST to come up with tech-neutral criteria and put out cybersecurity guidance in line with federal rulemaking procedures were also ignored. The committee ignored an amendment by Sen. John Ensign, R-Nev., to scrap certification and compliance mandates on businesses, and one by Snowe to include the cybersecurity adviser spelled out in S-778.
The committee also approved a bill (S-2881) sponsored by Snowe letting each FCC commissioner hire an engineer or computer scientist for technical consultation. Across the Capitol, the House Commerce Energy Subcommittee passed Wednesday the Grid Reliability and Infrastructure Defense Act, which would order the Federal Energy Regulatory Commission to protect the cybersecurity of the electric grid.