The state of U.S. computer security today hearkens back to the pre-Sept. 11 days when the CIA and the FBI were unauthorized to share intelligence, said federal officials and lawmakers promoting a new bill that would sanction the government and industry to exchange network threat information.
The legislation, a mix of several rival bills, would direct the Homeland Security Department to coordinate the protection of private networks. It would require businesses running critical systems to comply with basic security rules and to notify the government of major disruptions. The measure, S. 2105, also would allow the intelligence community to share classified tips with firms and let companies disclose threat information to the government without being held liable.
"The first thing after 9/11 we had to pass -- sadly, pathetically -- was a law saying that the FBI and the CIA could talk to each other," Sen. John D. "Jay" Rockefeller IV, D-W.Va., chairman of the Commerce, Science and Transportation Committee and a bill co-sponsor, said during a Thursday afternoon hearing on the legislation. "But that's where we were because of stovepipes."
At the Homeland Security and Governmental Affairs Committee session, DHS Secretary Janet Napolitano praised the measure for establishing a procedure to collaborate with companies whose energy, communications, banking and other systems -- if interrupted -- could yield massive loss of life, extended evacuations or economic disaster.
"The specific authority that the statute contains -- the most important -- is the ability to bring all of the nation's critical infrastructure up to a certain base standard of security," she said. "It clarifies the kind of information sharing that can occur without violating other federal statutes." This is a current area of legal uncertainty that often stymies emergency response, Napolitano said.
Senate Republicans and some powerful industries have raised doubts about the standards. Some senators, along with the U.S. Chamber of Commerce and the Financial Services Roundtable, oppose Homeland Security's potential regulatory reach. Republicans argue that Democrats are rushing a bill to the floor without proper committee vetting.
Committee member Sen. John McCain, R-Ariz., said Senate minority leaders intend to introduce their own package after the upcoming holiday weekend, likely delaying a final vote on any sort of cyber bill. Republicans and Democrats in both chambers have been trying to pass computer security reforms for almost two years.
But at least one major commercial tech company that also contracts with the government says the legislation hits the right regulatory balance to allow free enterprise and national security.
Market forces alone are insufficient to protect the United States from a cyberattack on a par with a Hiroshima or Pearl Harbor, explained Scott Charney, Microsoft's corporate vice president for trustworthy computing.
When faced with an intrusion, "sometimes we know what to do and we execute well. But we don't execute at scale," he said. "I think there are some companies that do a very good job of protecting critical infrastructure today. The question is, are we doing it at enough scale to really manage the risks that the country faces, and I don't think we are."