As Congress adjourned for the summer recess, some issues were left unresolved, most notably the question of a cybersecurity bill. Many have asked why. The answer is that I, and several of my colleagues, had deep concerns about the proposed bill. But I believe we can find common ground and a way forward.
There is no partisan dissent over whether cybersecurity – protecting computers, networks, programs and electronic information from being attacked and destroyed – is a critical issue. Experts have long cited cyber-terrorism as one of the potentially most dangerous threats to national security. Consider what might happen if a hostile government or terrorist organization launched an attack on our nation’s power grids, hospitals, nuclear facilities or major financial institutions – just to name a few possible targets. The effects would be devastating. The question is not whether we act to prevent such attacks, the question is how we act.
Two cybersecurity measures are now under consideration in the U.S. Senate. A bill authored by Senators Joe Lieberman (I-CT) and Susan Collins (R-ME), the Cybersecurity Act, would authorize the government to set standards for cybersecurity technology and determine which companies should comply with the government’s standards. I and seven of my colleagues, each of us the most senior Republican members of our committees and subcommittees that have jurisdiction over cybersecurity – Senators McCain, Chambliss, Grassley, Murkowski, Coats, Burr and Johnson – have co-sponsored an alternative, the SECURE IT Act. Our bill emphasizes information-sharing about cyber threats among and between private and public organizations, securing federal agencies against threat, ensuring that federal contractors report significant events, facilitating prosecution of cyber crime and focusing on research and technology to improve cybersecurity.
Cybersecurity experts agree that maintaining effective defenses requires cooperation and information-sharing both within critical industries and between the private sector and government. However, anti-trust and liability laws discourage or even prohibit cooperation among businesses, and our government’s standard operating procedure has been to warn about the risks of cyber attacks without always sharing specific information with the entities at greatest risk.
The Lieberman-Collins bill doesn’t fix these problems. Legal liability protections are weak for companies that want to cooperate with one another, and pre-determined government mandates would decide what cyber information should be shared by government. In contrast, the McCain-Hutchison bill authorizes essential legal liability and anti-trust protections for companies that want to work together to combat cyber threats. It also requires government agencies to share relevant information and assist companies and communities at cybersecurity risk.
The SECURE IT sponsors are concerned that the Lieberman-Collins bill would deter cooperation rather than encourage it. And we worry that it ignores cybersecurity’s biggest challenge: constantly and rapidly-evolving technological threats.
We need a nimble, flexible approach that can evolve at the same pace as emerging cyber threats. It must be driven by industries that know their systems best, and be a true collaboration between government and the private sector, where information-sharing is a two-way street.
McCain-Hutchison is the right foundation for a national cybersecurity policy. It is supported by the industries and organizations it impacts, and it can pass the House of Representatives. It recognizes the unique challenges presented by evolving technology and makes prosecuting cyber-crime a priority.
We all agree that cybersecurity is an issue of vital national importance. My bill co-sponsors and I are in continuing discussions with our colleagues in the Senate during the recess, with the goal of reaching consensus by Labor Day. I call on my friends on both sides of the aisle to come together to get it done.
This column was written by U.S. Sen. Kay Bailey Hutchison.