Senate Committees Reviewing Final Cybersecurity Proposal, Says Senator

Reid and his staff are shepherding a final bill among the Senate Intelligence, Judiciary, Homeland Security, and Commerce committees, said Carper, who cosponsored the Lieberman bill. The specifics of the bill are still being worked out, but it will be more like Lieberman’s legislation, which was marked up earlier this summer by the Senate Homeland Security Committee. The bill will use the federal government’s purchasing power as an incentive for private industry to adopt cybersecurity measures, he said, and would pay more attention to training government workers to defend its systems. Carper referred us to Senate Homeland Security Committee staffer Erik Hopkins for more details.

Hopkins confirmed that Reid is circulating a proposal to those Senate committees along with the Senate Foreign Affairs Committee. Discussions are so preliminary that a final draft hasn’t been written down, he said. Hopkins did not know when a final draft would be available but said it would come out this fall and be sent to private industry groups for review.

Hopkins said the proposal isn’t finalized yet and he could not speculate on its specific details. However he said the Commerce and Homeland Security committees both are in agreement that the Department of Homeland Security should have substantial authority over critical infrastructure to address emergency situations. Hopkins didn’t comment on a “kill switch” provision but said it was not feasible to shut down the Internet. It was designed for post-nuclear war communications, he pointed out, and has always been meant for keeping communications open.

Hopkins also said it was a good idea for the federal government to use its procurement process to encourage its contractors to adopt cybersecurity measures. He would not comment on supply chain management, but said the federal government needs a strategy to address it for national security reasons. It’s uncertain if there’s enough time in the congressional session to pass a cybersecurity bill, said Hopkins. If there isn’t, noncontroversial cybersecurity provisions could be added to the Department of Defense authorization bill. For example, federal agencies could be required to bolster their cybersecurity defenses, he said. They also could be required to constantly monitor them instead of conducting a yearly review, said Hopkins. Carper also noted this provision.

Meanwhile two lobbyists said the Senate majority leader has shut private industry out of the process since becoming involved in the negotiations over the Rockefeller and Lieberman bills. The first lobbyist, who asked not to be named, said it was a consensus view among lobbyists that the process has been secretive and closed to input from private industry since Reid took charge. Senate staffs had been reasonably good at including industry comments prior to that, the lobbyist said. The lobbyist said waiting to pass a bill until the next Congress may be a good idea because there may not be enough time for private industry to review a bill once it came out. That cooperation is critical to the public-private partnership characterizing cybersecurity defenses, the lobbyist said.

Many lobbyists are extremely concerned that the process has been closed to them in the past month, said Internet Security Alliance President Larry Clinton. Prior to then, Senate staffs had been available for input and industry could see drafts of bills and comment on them, he said. Clinton said the Senate majority leader’s plan is to finalize a bill behind the scenes and put it up for a Senate vote without hearings or public comments. The majority leader will probably tell private industry that they've had a chance to comment in prior hearings, said Clinton. “To me, that is completely counterfeit,” he said. Comments made in a hearing last year don’t apply to a different bill this year, he said.

The prospect worries Clinton because cybersecurity is such a high-tech topic. Senate staffs do not have the expertise of private industry in writing a bill, he said. One of the hardest issues is supply chain management, he said. Virtually everything digital is built in component parts, some of it overseas where it could be deliberately infected during manufacturing under foreign control. It’s critical for private industry to review and comment on supply chain management issues, he said. They've asked to see a draft of the final bill but are told by Senate staff that it isn’t available, he said.

Senate staffs are reviewing proposals now and are supposed to get their comments to the Majority Leader this week, said Clinton. The plan is to unveil the bill in mid-September and pass it in the third week of September, he said. That would be a disaster because it wouldn’t give private industry enough time for review, he said. Clinton’s biggest fear is that a bill will not analyze the economics of cybersecurity, only strategic concerns. He has heard that the bill will extensively regulate private industry without incentives like tax credits, liability protections, or procurement contracts. “There will be nothing done to maintain a sustainable system,” he said. “We should not be in an adversarial position,” said Clinton. “But the process is pushing us into one, and it is very bad for national security."

Carper responded by denying the process has been closed to private industry. “It’s hard to believe lobbyists can’t talk to staff,” he said. Congress leaks like a sieve, he added. A lobbyist who can’t get a copy “isn’t worth his salt,” he said. Majority Leader Reid hasn’t asked Senate staff to withhold comment, he said.

Hopkins responded by stating that there hasn’t been a final bill to shop around with lobbyists yet. One will circulate when it’s ready, he said, agreeing that industry has more expertise than Senate staff on cybersecurity. He couldn’t comment on how much time industry would have but said it would be “substantial” and that one week wasn’t much time. Private industry has had a lot of time in past hearings to comment on specific proposals, he said.