“Our economic security, our national security, our public safety are all at risk as a result from new kinds of enemies with new kinds of names like cyberwarriors, cyberspies, cyberterrorists and cybercriminals,” Lieberman said. “And that risk may be as serious to Homeland security as anything we face today.”
Lieberman said systems at agencies as diverse as NASA, the Commerce Department, and the Pentagon have suffered major intrusions by unknown foreign entities. He also said hackers have probed the systems controlling the electrical grid and stolen millions from businesses in monetary assets and intellectual property.
Phil Bond, president of the industry group TechAmerica, applauded the senators for tackling cybersecurity but said companies are concerned about DHS’ expanded role in regulating private network security. The bill is one of several pieces of legislation drafted in recent months aimed at improving the government’s cybersecurity.
“If the bill passes in its current form, it will turn the Department of Homeland Security into a significant regulatory agency,” Bond said. “Regulations like these could seriously undermine the very innovation we need to stay ahead of the bad actors and prosper as a nation.”
Under the bill, DHS's new National Center for Cybersecurity and Communications (NCCC) would be responsible for protecting against — and responding to — attacks on federal civilian networks as well as any private-sector assets deemed critical, a job that currently resides in the White House.
That authority would be limited to private networks whose suspension would result in deaths or massive property damage, according to a Senate aide. The aide said the president would not have a “kill-switch” for the Internet as previously reported.
The NCCC director would have operational authority over civilian networks, a civilian counterpart to the position occupied by Gen. Keith Alexander, head of the National Security Agency and commander of the new U.S. Cyber Command. The director would be appointed by the president, confirmed by the Senate and report directly to the secretary of Homeland Security.
The bill also would allow the president to declare a national cyber-emergency. After notifying Congress, he could order immediate measures be taken to safeguard any critical assets.
The lawmakers argued the emergency measures are part of a "reasonable framework," as they would expire after 30 days. But the bill would allow the president or NCCC director to extend them simply by saying in writing that a threat still exists.
Privacy advocates are likely to raise concerns about the emergency provisions; the decision to house operational security at DHS will also likely meet with opposition. Critics point to Alexander’s role as proof the intelligence community already has too much influence over cybersecurity.
Other measures in the bill include a sweeping overhaul of the Federal Information Security Management Act based on previous legislation introduced by Carper. The bill would shift the law’s focus from compliance to actively monitoring network threats.