Dire Warnings (And a Few Fireworks) at Committee Hearing on the Cybersecurity Act of 2012

Published On: Feb. 17, 2012

Last Updated: Oct. 05, 2020

With perhaps an overly optimistic statement that he “hopes it is the last hearing” on cybersecurity by the Senate Homeland Security & Government Affairs Committee before S.2105 passes, Sen. Lieberman opened the hearing today (February 16, 2012) on the Cybersecurity Act of 2012 by noting the phenomenal damage being done to our networks and the resulting need to “protect the treasures of America’s innovation.”  Sen. Lieberman stated his belief that the right balance has been struck with the introduction of S.2105, but comments by members of the committee and testimony by various witnesses would seem to indicate otherwise…particularly Sen. McCain.

Introduced publicly just two days ago, S.2105 does appear (at a macro level) to strike a balance in terms of major issues. The bill clearly resulted from some careful work by the various members and their staffers, who had the goal of crafting a bipartisan proposal that places a heavy focus on public-private partnership while avoiding some of the controversial issues that were problematic in earlier attempts at cybersecurity legislation.  For example, the bill does address critical infrastructure and information sharing, while leaving out the highly controversial “kill switch” and omitting any language about data breach notification. Unlike earlier bills, S.2105 reaches a somewhat balanced position between the narrower, single-issue bills (e.g., those focused solely on data breach) and the “omnibus” bills that try to cover everything at once (e.g., the earlier versions of Rockefeller-Snowe).

One very spirited exchange occurred just prior to Sen. McCain’s questioning of Sec. Napolitano.  Sen. McCain began with a vitriolic attack on the process for bringing the bill to the floor.  While first noting that the threats are very real, he went on to state that “we need to begin with a transparent process” and not send something to the floor without a single markup by other committees.  Calling it a “legislative Mulligan”, Sen. McCain said that he and six other ranking minority members from a total of seven committees were left with no choice but to introduce an alternative cybersecurity bill that will establish a “cooperative relationship with the private sector rather than an adversarial one with proscriptive regulations.”  Sen. Lieberman responded that his committee had asked for everyone to be involved and that he welcomed the competing bill.

Among the witnesses were several cybersecurity rock stars.  During the first panel, Sen. Rockefeller stated that this is “not a Republican or Democratic issue, but an issue of life or death for our economy.”  Sen. Feinstein followed and attempted to set certain parties at ease by observing that “there are no new authorities [in the bill] for government surveillance.”  During the second panel, DHS Secretary Napolitano faced a slew of questions and noted in response to a question from Sen. Pryor that she needs additional authorities to “bring all U.S. critical infrastructure up to a base level of security.”  She further noted that lawyers can be problematic when it comes to information sharing because “once the lawyers get [information about a breach], it takes some time.”

Panel III (representing the private sector) consisted of Tom Ridge, Stewart Baker, Jim Lewis, and Scott Charney.  Most notable from this panel were some of the more cautionary statements.  Mr. Ridge pointed out that when it comes to a regulatory approach, a “light touch [as this bill has been characterized in some press accounts] can turn into a stranglehold [and become] very proscriptive.”  Jim Lewis remarked that “America is a big slow target,” but that well designed legislation could actually incentivize innovation.  Mr. Lewis also mentioned that his motto for 2012 related to cybersecurity is “brace for impact.”  Stewart Baker indicated a concern that agreement by all relevant stakeholders to the performance standards in the bill could take eight to ten years, while an attack could occur in much less time than that.  He suggested that a provision be added that in the case of a cyber emergency, Secretary Napolitano be allowed to “compress the timeframes” in a way that would allow DHS to respond appropriately.  Finally, Scott Charney reminded everyone that any legislation must address the global aspects of our networked environment.

As has been rhetorically asked on numerous occasions, is this the bill that really has a chance of passing?  That remains to be seen.  I attended today’s hearing and if it is any indication of how things will progress, Congress is far from agreement as to how to approach the cybersecurity issue.  Perhaps one analogy offered by Stewart Baker, however, will create enough incentive.  Mr. Baker said the best cybersecurity threat comparison that he could think of would be “New Orleans, a day after Katrina.”  Unlike Katrina, however, he said that in the case of a serious cybersecurity attack, we likely wouldn’t have any warning and the National Guard won’t be at the ready to help with the results of the attack.  Let’s hope Congress can work through their differences quickly and come up with a truly balanced piece of legislation.  As Sen. Lieberman noted – “time is not on our side.”