by Kenneth Corbin

McCain, GOP Vow Alternative Cybersecurity Bill

Feb 16, 20126 mins
CybercrimeGovernmentGovernment IT

Arizona Republican blasts bipartisan cybersecurity bill for DHS authority, new regulations on private sector operators.

WASHINGTON — Blasting a comprehensive cybersecurity bill introduced earlier this week in the Senate as a senseless recipe for more unwarranted regulation, Sen. John McCain (R-Ariz.) said on Thursday that he and six Republican colleagues would bring forward their own legislation when the Senate returns from recess at the beginning of next month.

At a hearing before the Homeland Security and Governmental Affairs Committee to consider the Cybersecurity Act of 2012, McCain objected to both the substance of the bill and the process by which it is on track to move forward, saying that he and other GOP leaders are “left with no choice but to introduce an alternative cybersecurity bill in the coming days.”

See: Senators Unveil Cybersecurity Bill to Empower Homeland Security

“All of us recognize the importance of cybersecurity in the digital world,” McCain said. “It’s my opinion that Congress should be able to address this issue with legislation that a clear majority of us can support.”

McCain and six other ranking committee members earlier this week sent a letter to Majority Leader Harry Reid asking him to delay the floor debate on the measure to give the various committees with jurisdiction more time to hold hearings and develop alternative legislation.

The Cybersecurity Act, sponsored by Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), the chairman and ranking member of the homeland security committee, would empower the Department of Homeland Security to create a framework for securing critical private sector infrastructure, giving the department a limited measure of regulatory oversight. Sens. John Rockefeller (D-W.V.) and Dianne Feinstein (D-Calif.), the chairs of the commerce and intelligence committees, respectively, are also original cosponsors of the bill.

“If the legislation before us today were enacted into law, unelected bureaucrats at the DHS would promulgate prescriptive regulations on American businesses,” McCain said, declaring that the measure would “stymie job creation, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates.”

Both Lieberman and Collins defended the regulatory approach described in the bill, arguing that the oversight framework is narrowly drawn and gives industry players significant flexibility in achieving compliance, and that ensuring a baseline level of security in areas of critical infrastructure such as utilities the financial services sector is a decidedly pro-business stance.

“This is national security,” Lieberman shot back at McCain at today’s hearing, arguing that the cybersecurity performance requirements that companies would have to demonstrate “will protect American business and American jobs.”

“It’s a security bill, not a regulatory bill,” Homeland Security Secretary Janet Napolitano told the committee, expressing the “administration’s strong support” for the bill.

McCain also took issue with the selection of DHS as the appropriate government authority to oversee cybersecurity, arguing, as he has in the past, that the National Security Agency and the Defense Department’s Cyber Command would be more effective at the task.

“I question why we have yet to have a serious discussion about who is best suited — which agency — who is best suited to protect our country from this threat,” he said.

The bill’s backers dismissed the charges from McCain and other critics of the bill who object that the measure is hastily being pushed through, citing more than three years of work that have seen 10 hearings on the subject, including today’s, convened within the homeland security committee alone and extensive private sector outreach.

Lieberman said that he understood from Reid that the legislation would be subject to an open amendment process, giving critics of the bill ample opportunity to make the case for changes to the bill and bring them to a floor vote. A spokesman for Reid was not immediately available to confirm that point of process.

Moreover, Napolitano argued that DHS, which already has a patchwork set of statutory and executive authorities over private-sector cybersecurity, has unique expertise among federal agencies in securing control systems, such as those that function as gateways to critical infrastructure systems such as the electrical grid.

“If you have the ability to interrupt a control system you [can] take down an entire protected network,” Napolitano said. “The attacks on control systems are growing more and more sophisticated all the time.”

The reaction among industry has been mixed, with some technology trade groups such as the Business Software Alliance offering statements of cautious support, while the U.S. Chamber of Commerce has signaled that it will fight the bill in its current form.

“You need to add the Chamber of Commerce to the chorus of people sounding the alarm,” Tom Ridge, the former secretary of homeland security who now chairs the leading business lobby’s task force on national security, said at today’s hearing. “Frankly the attackers, and the technology moves a lot faster than any regulatory body or political body will ever be able to move.”

Michael Chertoff, who succeeded Ridge at the helm of DHS, was unable to appear at Thursday’s hearing, but submitted written remarks for the record, broadly praising the new bill for establishing risk-based security standards, creating a framework for government and industry players to share information, and establishing liability protections for businesses that make a good faith effort at securing their systems. Specifically, Chertoff disputed the notion that industry can be trusted to enact adequate protections simply through incentives or other nonbinding measures.

“Some argue that cyber defense and security in our private sector are best left to the market and individual initiative and innovation,” he said in his statement. “While it is true that the private sector has unleashed enormous creativity in developing aspects of our cyber economy, it is far from clear that market incentives will be sufficient to spur adequate investment in cybersecurity.”

(For those keeping score, the Cybersecurity Act has a two-to-one favorable rating among the three current and former secretaries of homeland security.)

Ridge, who was on hand to represent an industry group that historically opposes new regulatory proposals, acknowledged that some of the changes the authors had made to the legislation were more business-friendly, such as the provision that would exempt companies operating in industries already overseen by a separate regulatory authority from the new DHS scrutiny.

But that’s small solace, Ridge said, arguing that the new regulations will inevitably result in a more compliance-oriented, and likely less secure, environment for businesses.

Collins countered that the legislation would have the opposite effect by elevating the profile of cybersecurity within the boardroom, citing a common lament from private-sector CIOs who feel that they can’t get their message through to their boss.

“I cannot tell you how many CIOs … with whom I have talked who have told me, ‘If only I could get the attention of the CEO on cybersecurity. We’re not investing enough. We’re not protecting our systems enough, and it’s just not a priority for the CEO,'” Collins said.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for