By Suzanne Kelly
Senate members sparred Thursday over whether a new cybersecurity bill will effectively give the U.S. government and private security what it needs to defend itself against the dozens of attacks occurring daily on both government and private computer networks.
The Cybersecurity Act of 2012 proposes to house the government's cybersecurity headquarters within the Department of Homeland Security, which has already taken the lead among the government agencies on coordinating efforts to tackle sticky cybersecurity problems in cooperation with the National Security Agency.
Specifically, the act sets out guidelines for determining cybersecurity vulnerabilities, protecting and promoting innovation and encouraging companies to share information about cyberthreats, improving the security of the government's own cyber networks, and coordinating research and development while clarifying the roles of federal agencies.
Perhaps the most controversial effort of the Act is to establish a partnership between the government and the sector of private industry that controls "critical infrastructure" systems, such as the country's air traffic control system, water filtration facilities, banking systems and electrical grids.
Sen. John Rockefeller, D-West Virginia, perhaps made the most urgent case for passing the legislation saying U.S. citizens are at great risk and they don't even know it.
"It's hard to talk about this sometimes without seeming alarmist," said Rockefeller before detailing how the threat in the cyberworld could strike in the real one, using the example of a potential attack on the nation's air traffic control system.
"Cyberhackers can take that out. So the planes are literally flying in the dark and they will fly into each other and kill a lot of people," Rockefeller said.
Under the legislation, private companies that control such "critical infrastructures" would be identified the Department of Homeland Security and each individual company would be required to secure their own networks from cyberattack, and then "self-certify" in an effort to show the U.S. government it had complied. DHS would have the opportunity to spot check companies, and failure to secure could lead to civilian penalties. The voluntary nature of the bill is one of the criticisms.
Sen. John McCain of Arizona was one of seven Republican senators who sent a letter to the Senate leadership saying the bill had not been offered to other committees that should have a say in it. During Thursday's hearing, McCain talked about concerns on how the new measures would be paid for, and he expressed doubts about seating the department at what he referred to as the "regulatory leviathon at DHS."
"Given the serious national security and economic consequences of any legislation, it is imperative that the other committees of jurisdiction be given the opportunity to share the legislative outcome in a bipartisan manner," said McCain, who promised the introduction of an alternative bill on cybersecurity.
The chairman of the Homeland Security Committee, Sen. Joseph Lieberman of Connecticut, disagreed with McCain, saying that he had in fact reached out to all seven of the Republican senators who signed the letter and that everyone had the chance to work toward consensus.
"I'm sorry they haven't been engaged before and I'm glad they're gonna be engaged now," said Lieberman in a civil but tense exchange with McCain.
At a separate worldwide threats hearing earlier in the day, Director of National Intelligence James Clapper and Director of the Defense Intelligence Agency, Lt. General Ronald Burgess, both praised the bill and pressed lawmakers on the urgency of the threat.
Clapper listed counterterrorism, counterproliferation, cybersecurity and counterintelligence as the most pressing security concerns facing the intelligence community.