A Senate cybersecurity bill introduced last week removes a key provision from earlier legislation that would require companies to protect their computer systems, an omission that still leaves the nation at risk of a cyber attack, experts warn.
On Thursday, a group of five senators re-introduced the cybersecurity legislation. An earlier version of the bill required companies who run the power grid, gas pipelines, water supply systems and other critical infrastructure to meet a certain level of security or face penalties.
But Republicans opposed the initial bill, claiming it was unfair for the government to force companies to make costly security improvements. So the bill's sponsors said they compromised. The new version of the bill says companies can volunteer to have their security practices inspected by the government and can recommend their own security improvements, which would be voluntary.
The Senate is expected to consider the bill later this week.
But experts say the compromise means the bill does little to protect the nation from hackers. Without the government enforcing cybersecurity, companies are unlikely to strengthen their networks on their own, they say.
The new bill "basically depends on the industry to make a good faith effort to improve security, and up until now they haven't done anything," said Joe Weiss, a security expert on critical infrastructure. "The question is, 'Why would you expect all of a sudden for that to change?'"
James Lewis, a senior fellow at the Center for Strategic and International Studies, said, "The problem is the bill doesn’t give the government any new capabilities. You don’t need this bill. Nothing really changes."
The bill's sponsors -- who said they removed regulations from the legislation to get Republican support -- expressed their preference for the previous bill, but emphasized that they believe the newest version would still be effective.
"This compromise will significantly strengthen the cybersecurity of the nation's most critical infrastructure and with it our national and economic security," Sen. Joe Lieberman (I-Conn.) said in a statement after the revised bill was introduced.
On Thursday, President Barack Obama pushed for the bill's passage in an op-ed in the Wall Street Journal. He said the bill was needed because hackers "are probing our financial, energy and public safety systems every day."
For months, the Obama administration has been pushing for new authority to enforce security standards in critical infrastructure. In March, Gen. Keith Alexander, head of the National Security Agency, told Congress the government needed that authority because critical infrastructure operators weren't taking even basic security steps, like updating software.
Many experts believe the nation's vital computer networks are vulnerable to an attack that could lead to the collapse of the banking system, sustained blackouts or even mass casualties. Some have made comparisons to the lack of airport security before the Sept. 11 attacks.
The threat appears to be growing. Last year, hackers broke into computer systems running critical infrastructure nearly 200 times, compared with 41 times the year before, according to a report last month from the U.S. Industrial Control System Cyber Emergency Response Team.
Earlier this year, House Republicans also removed language from a cybersecurity bill that would have forced companies to meet baseline security standards. That bill passed in April.
Lewis, of the Center for Strategic and International Studies, said Senate Democrats likely acceded to Republicans' demands because time was running out during an election year.
"They wrote the bill that was going to get the votes," Lewis said. "And in doing that they left out the most important part."
SUBSCRIBE AND FOLLOW
Get top stories and blog posts emailed to me each day. Newsletters may offer personalized content or advertisements.Learn more