Cybersecurity Legislation Gaining 'Momentum' In Congress
After introducing dozens of cybersecurity bills and holding months of hearings on threats from hackers, Congress is moving toward a vote on legislation to secure the nation's computer networks.
Thus far, more than 30 cybersecurity bills have been unveiled on Capitol Hill, emerging from a wide range of committees, including Commerce, Foreign Affairs and Homeland Security. Senate Majority Leader Harry Reid (D-Nev.) has said he plans to combine those proposals into comprehensive legislation and bring that bill to the Senate floor early this year. When he does, it will be the farthest that major cybersecurity legislation has ever advanced in Congress.
What that final bill will include has become increasingly clear in recent days as a draft of the legislation has circulated around Washington. Though not finalized, the legislation is similar to a White House proposal issued last May, according to people who have seen a draft of the bill.
The White House proposal calls for increasing penalties for computer hacking, giving more authority to the Department of Homeland Security to protect critical infrastructure from cyberattacks, offering incentives to private companies to encourage them to improve cybersecurity, and promoting information sharing about cyber threats between the public and private sectors.
In a blog post last week, White House cybersecurity coordinator Howard Schmidt called on Congress to pass a law that offers "the full range of tools our cyber-security professionals need to more effectively deal with this growing and increasingly sophisticated threat."
"Now is the time to pass legislation that ensures the companies we rely on to power our hospitals, supply our water, support our troops, and drive the economic engine of our country are adequately addressing cyber-security risks," Schmidt wrote.
The growing push for passing cybersecurity legislation comes after numerous government agencies and major corporations revealed last year that hackers had infiltrated their networks to steal corporate secrets or leak sensitive customer data. On Tuesday, Director of National Intelligence Jim Clapper told the Senate Intelligence Committee that "entities" within China and Russia are responsible for "extensive illicit intrusions into U.S. computer networks and theft of U.S. intellectual property."
Those cyberattacks have changed the politics on cybersecurity legislation, according to Stewart Baker, a former assistant secretary at the Department of Homeland Security. For years, members of Congress who issued warnings about cyber threats were met largely with skepticism, Baker said. But after a year filled with high-profile computer breaches, the political landscape has changed.
"Now, no one can ignore the massive extent of intrusions that practically every company and every government agency has suffered," Baker said.
Perhaps the biggest concern among cyber experts lies with critical infrastructure: the power grid, Wall Street, transportation systems and water facilities. Experts agree that a cyberattack against these networks would be devastating to the economy and potentially cost lives.
But in an op-ed published Wednesday in Roll Call, U.S. Rep. James Langevin (D-R.I.) wrote that private owners and operators of the nation's critical infrastructure "don't take this threat seriously enough."
"Among our critical infrastructure, we lack even simple security measures for many of the systems that control our electric grid, water and sewage plants, and financial and telecommunications systems," wrote Langevin, who is co-founder of the Congressional Cybersecurity Caucus.
Langevin said that Stuxnet, a sophisticated computer worm that destroyed parts of Iran's nuclear program, "could devastate parts of these industries, resulting in enormous costs, borne largely by the taxpayer."
For cyber legislation to pass, the bill must assuage the concerns of both business and privacy lobbyists. Last May, an internal memo from the U.S. Chamber of Commerce called the White House cybersecurity proposal "regulatory overreach" because it would require greater cybersecurity oversight of companies that operate critical infrastructure.
Meanwhile, The Constitution Project, a nonpartisan legal think tank, issued a report last week raising concerns about proposals to expand government cybersecurity programs to cover private networks, claiming that such an effort "runs the risk of establishing a program akin to wiretapping all network users' communications."
Tom Kellermann, a member of President Barack Obama's commission on cybersecurity, said that legislation would not come at the expense of privacy because hackers are increasingly snooping on Americans' personal communications. [NOTE: The commission was formed by the Center for Strategic and International Studies, a bipartisan nonprofit research group not affiliated with the U.S. Government]
"The long-term economic viability of the United States is dependent on legislation like this passing," he said.
At a Senate Intelligence Committee hearing on Tuesday, Sen. Jay Rockefeller (D-W.Va.), a co-sponsor of cybersecurity legislation, warned that hackers "have the ability to interrupt life-sustaining services, cause catastrophic economic damage, or severely degrade the networks our defense and intelligence agencies rely on."
Rockefeller said his colleagues need to act "immediately" on cyber legislation.
"Over the past few months we have accelerated our efforts, and I'm confident that every voice has been heard," Rockefeller said. "We have momentum."