The Senate will debate cybersecurity legislation in early 2012, according to a letter from Majority Leader Harry Reid (D-Nev.) to Minority Leader Mitch McConnell (R-Ky.) late Wednesday.
“Given the magnitude of the threat and the gaps in the government’s ability to respond, we cannot afford to delay action on this critical legislation,” Reid wrote. “For that reason, it is my intent to bring comprehensive cyber security legislation to the Senate floor for consideration during the first Senate work period of next year.”
Both Senate Democrats and the White House have taken to heart warnings from cybersecurity experts that the nation’s critical infrastructure is wide open to a cyber attack that could cripple the national economy or cost numerous lives. Their proposals would task the Department of Homeland Security with regulating network security for sectors including communications and utilities.
“It is my firm hope that the working groups will be able to achieve an agreement on legislation by then, but I believe the cyber threat to be of such urgency that we must act whether or not such agreement can be reached,” Reid wrote.
Reid’s letter also indicates some flexibility on the concept of comprehensive legislation. Notably, he called legislative recommendations released by the House Republican Cyber Security Task Force last month “fully consistent with our efforts” even though it would limit enforcement to highly regulated sectors such as nuclear power and water-treatment plants.
The House GOP’s plan also focuses on incentivizing industry to boost its security via tax credits and liability protection, a significant departure from the approach favored by the Democrats. Rep. Dan Lungren (R-Calif.), chairman of the House Homeland Security subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, told The Hill on Wednesday that Republicans are refining their initial recommendations and plan to move forward with legislation independent of the Senate, though he welcomed input from both parties.
The cooperative tone on Capitol Hill recently confirms the sense that both sides view some action as better than nothing, even if the bill falls short of requiring private-sector firms deemed critical to comply with federal security standards. Cybersecurity experts have warned that firms will not take action unless they are compelled to do so by the government.
The original White House plan released in May embraced a broad definition of critical infrastructure and encouraged compliance by publishing the results of security audits. Some Democrats have indicated that DHS should have more enforcement authority, such as the ability to levy fines against firms that fail to take adequate action.
Senior Obama administration officials met with the heads of the relevant Senate committees last month behind closed doors to stress the urgency of passing legislation this calendar year. Both sides expressed optimism about the possibility of moving forward after resolving issues such as legal liability for companies that report attacks and share information with the government.
But cybersecurity is still nascent as a political topic, and stakeholders believe the passing of any legislation would be a productive step that would help raise awareness of the problem. The framing of the issue as a national security measure also adds impetus for lawmakers on both sides of the aisle to add their support.
The news was welcomed by longtime supporters of cybersecurity legislation, including Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-Conn.), ranking member Susan Collins (R-Maine) and Sen. Tom Carper (D-Del.). Lieberman has pushed for Reid to bring the legislation to the floor and settle the remaining issues via open debate.
“Every day Congress fails to strengthen the cybersecurity of the nation’s critical infrastructure is another day of unacceptable risk for our country,” the three senators said in a news release issued late Wednesday. “Hackers, criminals, and antagonistic foreign powers are maliciously probing our cyber defenses every day on an unprecedented scale, and it is no secret they have found our defenses to be vulnerable.
“There is no such thing as 100 percent security, on- or offline, but we must take action to strengthen our defenses against those who are constantly working to do us harm.”