CybersecurityBill would give the president emergency power to critical networks under attack

Then-acting Cyberspace Director Melissa Hathaway addressing RSA conference in 2009 // Source: cnet.com

A new congressional cyber security proposal would give the president emergency powers to protect critical private networks under attack, but the bill’s sponsors insisted it does not allow the government to take control of any private cyber-network.

Senate Homeland Security Committee chairman Joseph Lieberman (I-Connecticut), who helped create the legislation, said the president could order a patch or tell a cyber network to stop receiving incoming data from a particular country when critical infrastructure in the private sector such as the electrical grid or financial grid is threatened or attacked. A company that complies with the order would be given immunity from any liability for any consequences of the action.

Senator Susan Collins (R-Maine), the ranking Republican on the Homeland Security Committee, emphasized the proposal does not allow for any new surveillance authority.

“This isn’t a case of the federal government increasing its surveillance of private sector computers nor would it permit the government to take over private networks,” said Collins. “It enables the government in concert with the private sector to better protect our nation’s cyber assets.”

CNN’s Pam Benson reports that the bipartisan bill announced by Lieberman, Collins, and Senator Thomas Carper (D-Delaware), creates a cyber security center at DHS and would make the cyber security coordinator at the White House a permanent position, confirmed by the Senate. The position is currently appointed by the president.

Lieberman said the bill “is designed to bring together the disjointed efforts of multiple federal agencies and departments to prevent cyber theft, intrusions and attacks across the federal government and the private sector.”

Collins said the computer networks of Congress and executive agencies are attacked on average 1.8 billion times a month at a cost of billions of dollars to the national economy.

The proposed National Center for Cybersecurity and Communications would be located in DHS and would take the lead in federal efforts to protect government and private cyber networks in partnership with private industry.

Both Lieberman and Collins emphasized the importance of locating the center in department.

DHS was the natural and logical place to put it, because this is the department we created to protect our homeland security and protecting cyber space is a critical part of that,” said Lieberman.

The director of the White House Office for Cyber Policy would advise the president on cybersecurity issues and coordinate the development of a national cyber strategy.

The Homeland Security legislation will need to be reconciled with several other Senate bills, most notably the Commerce Committee proposal which puts operational control of cyber-security in the White House. The Commerce bill would create a national cybersecurity adviser to the president who would coordinate the government’s cyber efforts and work closely with the private sector. The setting and implementation of cyber policy would be vested in the president.

Benson notes that another important distinction between the two bills involves critical infrastructure. The Commerce bill calls for a joint public and private effort to develop standards for protecting essential networks. Once the standards are set, companies would have to certify compliance through an independent audit and take corrective measures if those standards are not met.

The Homeland Security bill gives the director of the National Center for Cybersecurity and Communications the authority to look for vulnerabilities in private networks and propose fixes to the companies involved. The companies would have flexibility in determining the specific security measure it implements as long as it meets the requirements of the director.

The head of a technology industry advocacy group is concerned that Homeland Security authority could have some “unintended consequences.” Phil Bond, the president of TechAmerica said in a written statement, “It will turn the Department of Homeland Security into a significant regulatory agency. Regulations like these could seriously undermine the very innovation we need to stay ahead of the bad actors and prosper as a nation.”

Bond did say there were many positive aspects of the overall legislation that his association can enthusiastically support, citing the elevation of the offices and people leading the government’s cybersecurity efforts at the White House and Homeland Security.

The U.S. Chamber of Commerce welcomed the Homeland Security legislation and was in the process of analyzing the impact the bill would have on the business community.