Thank you for contacting me regarding the cybersecurity legislation. I appreciate hearing from you on this important issue.
Our nation's businesses, critical infrastructure, and communities are all vulnerable to malicious cyber activity on the computer networks that increasingly connect us all. These malicious actions could be taken by individuals acting alone, organized groups of hackers, foreign companies, and even other nation states. The question is not if the nation should prepare itself, but rather how we should prepare ourselves to protect our critical computer systems and related assets. I believe our approach to cyber security needs to be risk-based, cost-effective, and pursued as a partnership between the federal government and the private sector.
There have been several bills introduced this Congress regarding cybersecurity. I would like to describe briefly the two primary Senate bills.
Senator Joseph Lieberman (ID-CT) introduced the Cybersecurity Act of 2012 (S. 2105) on February 14, 2012. The proposed legislation has been referred to the Senate Committee on Homeland Security and Governmental Affairs where it is currently awaiting further review. If enacted, this proposed legislation would establish a framework where the U.S. Department of Homeland Security (DHS) consults with stakeholders to determine systems which computer systems and assets across the various sectors of our economy face the greatest immediate risk. The proposed legislation would establish a procedure for the designation of companies that own and/or operate the covered "critical infrastructure" and would identify existing cybersecurity standards or develop new risk-based cybersecurity performance requirements when necessary; and would implement cyber response and restoration plans. Each covered company develops its own security plans. Each covered company would have the option of self-certifying it meets the requirements or it can have an approved third party certify compliance with the requirements. Companies in substantial compliance with the performance requirements at the time of a cyber-incident would receive protection from any punitive damages associated from the incident. This framework for cybersecurity only applies to computer systems and assets within the sectors of the economy that are not already covered by existing requirements.
Additionally, the Act would make improvement to the cyber security of critical federal information technology systems; streamline cybersecurity efforts at DHS; requires DHS to implement a cybersecurity outreach and awareness program; establish a program to develop and recruit more individuals to work in cybersecurity; require the development of a national cyber security R&D plan and establishment of a basis cybersecurity R&D program at the National Science Foundation; authorize private entities to disclose or receive lawfully obtained cybersecurity threat information to protect an information system; establish a process to designate "cybersecurity exchanges" so that public and private sector organizations can share information; and provide a legal safe harbor for entities engaged in cybersecurity monitoring activities.
Senator John McCain (R-AZ) introduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act (S. 2151) on March 1, 2012. The proposed legislation has been referred to the Senate Committee on Commerce, Science, and Transportation where it is awaiting further review. If enacted, this proposed legislation would encourage private sector companies to share cyber threat information with other private sector companies and the federal government, but requires federal contractors to share cyber threat information with the federal government if it provides communications services or cybersecurity services to the federal government and the threat is directly related to those services. The Act also updates the Federal Information Security Management Act, strengthening the Federal Government's capacity to better protect federal civilian networks from cyber vulnerabilities. It increases criminal penalties for cybercrimes and prioritizes existing cybersecurity research.
The United States has always been seen as a leader on Internet issues. Laws we establish in the United States regarding the Internet are likely to be used as models around the world. And because the Internet is global in nature, it is important that we carefully consider how the laws and policies we adopt in this area may be received and translated by other countries. Please be assured that I will keep your thoughts in mind should I have the opportunity to vote on this or similar legislation regarding cybersecurity.
Thank you again for contacting me to share your thoughts on this matter. You may also be interested in signing up for periodic updates for Washington State residents. If you are interested in subscribing to this update, please visit my website at http://cantwell.senate.gov. Please do not hesitate to contact me in the future if I can be of further assistance.
United States Senator