A comprehensive cybersecurity bill set for a vote in the Senate this week is drawing some late concern from the tech industry that could threaten several years of legislative work.
The bill has not been released publicly, but according to sources familiar with its content it takes a light touch approach to regulating network security at firms deemed part of the nation's critical infrastructure.
Bob Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks said the bill's language suggests DHS could seize control of systems owned by private firms and cloud providers.
"The provision that establishes covered critical infrastructure presumes to give DHS new authority, that in my mind is overly broad, subject to interpretation and frankly goes beyond the boundaries of the role of government," Dix said, calling some of the new authorities "very scary."
Dix noted the bill gives the Secretary of DHS exclusive authority to determine what constitutes covered critical infrastructure, and to determine whether firms' risk management approach is adequate.
"I would argue that those of us in the protection business better understand how to manage risk than the government does or ever will," Dix said. He said he has offered suggestions on how the language could be narrowed to Senate staffers in hopes of improving the bill.
"The federal government must protect its own information. When this information is processed or stored by a contractor on behalf of an agency and isn't as secure as it should be, the government needs to have the authority to step in and improve security," said a spokesman for Senate Homeland Security Chairman Joe Lieberman (I-Conn.) in response.
"Intervention authority is routinely written into contracts. The senators and the administration think it is important enough to be written in statute. We have been receptive to the concerns raised and made changes and additions to the bill based on those concerns."
Supporters argue the provision in question is consistent with current federal cybersecurity law and applies only to sensitive government data on contractor computers. They note they have consistently reached out to stakeholders through the legislative process to address their concerns.
"The focus of the cybersecurity bill's on securing critical infrastructure systems, not on regulating or interfering with the design or development of IT products,” said a Senate Democratic aide in a statement. “As we get closer to a final bill, committees are modifying the language to ensure that intent is completely clear, and we expect that there will be broad support for this approach in the private sector/IT community."
But Dix argued the Senate bill would raise the broader issue of handing DHS regulatory authority for cybersecurity, before the agency has demonstrated the business case or competency needed. He said the bill would impose a regulatory burden on federal contractors, kill jobs, and stifle innovation.
Another expert familiar with the legislation called it a very gentle bill with minimal means for DHS to enforce the new cybersecurity standards. They said the bill was specifically softened to increase its likelihood of passage, but warned the concerns from Juniper and other IT firms could halt its momentum similar to fears about an Internet "kill switch" in the Senate bill last year.
Before the emergence of industry opposition the primary concern for supporters of the bill was marshalling enough bipartisan support to convince the House to pass a similar measure. The House has focused mostly on providing incentives for industry to share information on threats and attacks.
But White House cybersecurity coordinator Howard Schmidt warned Thursday that incentives alone wouldn't be enough to address the growing threat.
A lobbyist close to the issue said there is growing agreement between the House and Senate that limited regulation is needed. They expected the debate to center around which industries are regulated under the critical infrastructure portion of the bill and to what extent.
This story has been updated to correct a quote from a spokesman for Sen. Joe Lieberman wrongly attributed to Sen. Harry Reid's office.