WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Lawmakers reintroduced sweeping cybersecurity legislation in the Senate this week, stripping out some of the most controversial provisions that rankled privacy advocates and other critics when the bill first appeared last April.
The Cybersecurity Act, co-sponsored by Sens. John Rockefeller (D-W.V.) and Olympia Snowe (R-Maine), would establish a framework for government partnership with the private sector to shore up critical infrastructure and codify procedures for the federal response to a "cybersecurity emergency."
But absent from the latest of several revisions to the bill is the controversial provision that would have authorized the president to shut down private-sector networks in the event of a major attack.
Instead, the substitute amendment of the bill would direct the president to develop response plans in concert with the private sector, and report to Congress within 48 hours of declaring a cybersecurity emergency. In revising the section detailing responsibilities and authorities, the lawmakers took pains to address the concerns of civil libertarians who blasted the original "kill-switch" provision authorizing the federal shutdown of private networks.
"This section does not authorize, and shall not be construed to authorize, an expansion of existing Presidential authorities," the substitute amendment reads.
The bill may also now be more palatable to privacy groups, who had warned of language that would have authorized the Department of Commerce to act outside the scope of current privacy laws in response to a cyber attack. Those provisions have been struck from the latest version of the bill.
"The Cybersecurity Act is vastly improved," Greg Nojeim, senior counsel with the Center for Democracy and Technology, a prominent Washington group that had protested the original bill, told InternetNews.com. "The revised version addresses many civil liberties concerns."
Nojeim praised the senators for dropping the Commerce Department authorization, but warned about vague substitute language that would set in motion a rulemaking process that could result in a mandate for ISPs to share sensitive information in the event of a cybersecurity emergency.
"We have sought additional clarification about the limits and about the parameters on the information sharing mandates," he said.
Rockefeller and Snowe said the primary objective of the legislation is to improve government coordination with the private sector, which owns and operates nearly 90 percent of the nation's communications networks.
The bill would obligate the White House to work with network operators to establish a set of best practices for security training and then subject those companies to an independent audit. Any firm that failed two consecutive audits would be placed under a government review program to bring it into compliance.
"In practice, this would effectively be a government-coordinated private sector intervention to prevent a failing company from damaging the entire industry sectorand the country's security along with it," the senators said in the bill summary.
A companion bill that is pending before the Senate Committee on Homeland Security and Government Affairs would install a national cybersecurity advisor in the White House who would report directly to the president. The position, which would require confirmation by the Senate, would elevate the top cybersecurity officer in the executive branch beyond the coordinator role President Obama established last year to serve jointly on the national economic and security councils.
The commerce committee is planning to mark up the Cybersecurity Act next Wednesday.