Senators press for increased cybersecurity attack planning

The federal government should work with the owners and operators of critical infrastructure to develop a comprehensive plan to respond to major attacks on cybersecurity networks, according to legislation unveiled Wednesday by Senate Commerce Committee Chairman John (Jay) Rockefeller, D-W.V., and Sen. Olympia Snowe, R-Maine.

The latest draft of their bill, which has been in the works for a year, would give the president the authority to declare a cybersecurity emergency. But the bill calls on the White House and private owners and operators of critical infrastructure, such as telecommunications systems and electrical grids, to work out in advance a response and recovery plan that would be implemented after an emergency is declared.

The president would be required to notify Congress in writing 48 hours after an emergency is declared and lay out the reasons and estimated time frame for it.

The bill also drops a provision that would have allowed the president to shut down computer networks during an emergency.

"At this very moment, sophisticated cyber enemies are trying to steal our identities, our money, our business innovations and our national security secrets," Rockefeller said.

"This 21st century threat calls for a robust 21st century response from our government, our private sector and our citizens," he added. "Private companies and the government must work together to protect our nation, our networks and our way of life from the growing cyber threat."

The Commerce Committee plans to mark up the bill in one week.

But the fate of cybersecurity legislation remains uncertain. Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, I-Conn., and ranking member Susan Collins, R-Maine, are working on their own cybersecurity bill. And a crowded Senate calendar could complicate efforts to pass any legislation this year.

The Rockefeller-Snowe bill aims to develop a collaborative relationship between federal regulators and private companies responsible for critical infrastructure. For example, it calls for the government and those companies to identify and adopt the best cybersecurity practices.

Companies that fail to adopt those best practices would be required to implement remediation plans.

"In practice, this would effectively be a government-coordinated private sector intervention to prevent a failing company from damaging the entire industry sector -- and the country's security along with it," according to a summary of the bill.

The legislation also would create a federal rulemaking process to identify and classify specific information technology networks that must be protected from disruption or incapacitation.

"The Rockefeller-Snowe initiative seeks to bring new high-level governmental attention to developing a fully integrated, thoroughly coordinated public-private partnership," Snowe said. "It is imperative that the public and private sectors marshal our collective forces in a collaborative and complementary manner to confront this urgent threat."