Congress Takes Aim at Cybersecurity Threats

Proposed cybersecurity legislation circulating on Capitol Hill would give the president the power to declare an emergency in the case of big online attacks and force some businesses to beef up their cyber defenses and submit to scrutiny.

The draft bill, a copy of which was obtained by Reuters, allows the president to declare an emergency if there is an imminent threat to the U.S. electrical grid or other critical infrastructure such as the water supply or financial network because of a cyber attack.

Industries, companies or portions of companies could be temporarily shut down, or be required to take other steps to address threats.

The emergency declaration would last for 30 days, unless the president renews it. It cannot last more than 90 days without action from Congress.

The draft is a combination of two cybersecurity bills that were merged into one at the urging of Senate Majority Leader Harry Reid. “It (comprehensive cybersecurity legislation) is something that we hope to be able to pass before the end of the year, if we can,” Reid spokeswoman Regan Lachapelle told Reuters.

Industry opposition could make it a tough go for the bill to get through the Senate and House of Representatives before the end of the year.

Steve DelBianco, director of the trade group NetChoice, whose members include Yahoo, eBay and News Corp., objected to a part of the bill that would bar companies designated as “critical” from fighting that designation in court.

“That has to be amended to make this bill fair to the businesses who will pay for it,” he said.

The draft tries to calm fears that the government is reaching too far into business operations by requiring specific designations for parts of a company or industry that might be considered “critical infrastructure.”

“Citibank router A to the New York Stock Exchange may be considered critical. It’s not all of Citibank. It’s not the entire banking sector,” said a Senate staffer who declined to be identified because the staffer was not authorized to speak on the record.

Cybersecurity experts have been warning of the possibility of a massive attack for more than a decade, and hacking attacks, including one on Google Inc. and other companies within the past year, have sounded alarm bells.

Many attacks have been more minor in scope, including one earlier Tuesday on social networking website Twitter.

The effort has backing from Senator Jay Rockefeller, a Democrat who chairs the Senate Commerce Committee.

‘VANILLA STUFF’

A presidential order may not be as dramatic as businesses fear and could simply require the installation of a particular patch, said James Lewis at the Center for Strategic and International Studies.

“I don’t think this is a big deal. The president can order people to take protective action,” Lewis said. “People need to take a deep breath. This is pretty vanilla stuff.”

Even in the absence of an imminent threat, companies could face government scrutiny. Company employees working in cybersecurity would need appropriate skills. They also might be required to report cyber threats to the government and to have plans for responding to a cyber attack.

Technology and telecommunications companies oppose mandates such as certification of cybersecurity professionals and a requirement that portions of a network be shut down to mitigate threats.

The draft is based largely on a proposal sponsored by independent Senator Joseph Lieberman, Republican Susan Collins and Democrat Thomas Carper, and one by Rockefeller and Republican Olympia Snowe.

Collins expects more negotiations and changes in the draft to promote security enhancements and to minimize regulatory costs, a committee staffer said.

Negotiators working on the draft are considering allowing critical infrastructure companies that are compliant with the best practices to be protected from lawsuits demanding punitive damages for a breach.

(Reporting by Diane Bartz; Editing by Robert MacMillan and Steve Orlofsky)

Topics Cyber Legislation