Senators aim to win over industry with new cybersecurity compromise

Two senators seeking to build support for a compromise cybersecurity proposal have dropped a key provision requiring third-party audits for companies operating critical infrastructure.

The move by Sens. Sheldon Whitehouse (D-R.I.) and Jon Kyl (R-Ariz.) is intended to win industry support and break a stalemate over cybersecurity legislation in the Senate.

Aides for the two lawmakers have been working to find a middle ground on establishing security standards for owners and operators of critical infrastructure, such as water systems, power plants and telecommunications networks.

The latest version leaves out the so-called “national security need” section that was included in a draft proposal circulated last month, according to two people familiar with the updated framework.

The old section would have authorized the Defense Department (DOD) and Department of Homeland Security (DHS) to require operators of infrastructure that would "cause a severe degradation of national security" if disabled to submit to third-party audits on the security of their systems and networks.

Business groups argued the concept ran counter to framework’s promise of voluntary participation in a program that would have provided incentives to companies that self-certified they had met security standards. The U.S. Chamber of Commerce and the Information Technology Industry Council argued the draft took too great of a regulatory approach.

The updated framework proposes to establish an inter-agency council that would designate which companies are "core" critical infrastructure or key to the nation's day-to-day functioning, according to sources. Discussions are still ongoing about whether DHS should lead the council.

It would provide authority for Congress to review these designations and adopts the same definition of "core" critical infrastructure that is used in Sen. Joe Lieberman's (I-Conn.) cybersecurity bill.

The inter-agency council would review best practices for cybersecurity that are proposed by industry advisory committees, the sources said. The Commerce Department would identify which private sector entities would participate in these advisory committees.

The council would approve or amend the proposed best practices and designate them as "voluntary baseline performance goals."

Operators of critical infrastructure could elect to follow these performance goals in exchange for liability protections, such as receiving security clearances and government intelligence on cyber threats to their systems and networks.

Critical infrastructure operators could also choose to "self certify" that they meet the performance goals. The catch: Operators would only receive these liability protections if they agree to allow a private sector auditor — approved by the inter-agency council — to conduct an evaluation every three years on whether they meet the performance goals for their sector.

The latest version of the compromise framework still does not include legislative language, the sources said.

It's unclear whether these new changes to the compromise framework will be enough to satisfy the Chamber of Commerce, which has been one of the toughest critics of critical infrastructure provisions. The sources emphasized that the latest version proposes a purely voluntary approach. 

Kyl and his staff are meeting with the Chamber on Wednesday to work on finding a compromise over cybersecurity legislation. The Arizona senator said he wanted to meet with the Chamber to see if they could "work something out that's acceptable to them and to folks on the other side as well." 

"We thought it was time to actually tell them what we were thinking of, get their response to it,” Kyl said, adding that the Chamber’s support will be key to moving the ball forward in the Senate. 

"You’ll have to ask [Majority] Leader Reid if he’s comfortable putting forward a bill that’s really controversial and less likely to pass. My guess is he’ll want to have some assurances that the legislation on the floor has a good chance of passing in a relatively short period of time, I would subscribe to that view," Kyl said. "And so I think their views are important to members of Congress. ... The question is whether we can get a bill on the floor."

The Chamber has argued that provisions in Lieberman's bill requiring critical infrastructure operators to meet new cybersecurity standards, developed in part by the government, would saddle industry with burdensome regulations.

The powerful business lobby has backed the approach in Sen. John McCain's (R-Ariz.) rival cybersecurity bill, the Secure It Act, which does not include security mandates for critical infrastructure and focuses instead on improving information sharing about cyberthreats between industry and government.

— This story was updated at 4:33 p.m. with comment from Sen. Kyl.