Forecast for cybersecurity bills looks cloudy in reconvened Congress

NEW YORK -- Passage of bills to better protect computer networks and the nation's electric grid from attacks is uncertain in a reconvened Congress because lawmakers are undecided over how to bring private industry onboard, the leader of a House Homeland Security subpanel said recently.

Three key cybersecurity bills -- the Grid Reliability and Infrastructure Defense; Cybersecurity; and Protecting Cyberspace as a National Asset acts -- are likely to stall during Congress' lame-duck session, said Rep. Yvette Clarke, D-N.Y., during the information security convention SC World Congress last week.

This means the federal government will continue to lack a clear legislative mandate on which agencies are in charge of safeguarding networks and how much private companies should be regulated, amid heightened rhetoric about information security threats, said Clarke, chairwoman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.

Clarke spoke a week after Republicans gained control of the House, a development that has raised industry speculation Congress will go easy on regulating enterprise.

The New York Democrat said in an interview that she was "not confident about the status" of the Protecting Cyberspace as a National Asset Act (S. 3480), sponsored by Sens. Tom Carper, D-Del.; Joe Lieberman, I-Conn.; and Susan Collins, R-Maine. The bill would give the president powers to declare a national cyber emergency and issue crisis directives, as well as bring the U.S. Computer Emergency Readiness Team at the Homeland Security Department to the forefront of coordinating information sharing between the public and private sectors.

"There's still a lot of dialogue that needs to be had over the level of collaboration in terms of private sector knowledge in helping to shape that bill," said Clarke, adding there was a general concern the measure was "too regulatory." The Senate Homeland Security and Governmental Affairs Committee reported the bill to the full chamber in June.

She added the 2009 Cybersecurity Act (S.773), sponsored by Sens. John Rockefeller, D-W.Va.; Olympia Snowe, R-Maine; Barbara Mikulski, D-Md.; and Bill Nelson, D-Fla.; also met with resistance on the floor because "it does not take into account business nuances." The legislation calls for a testing and accreditation protocol for software the federal government and contractors use, and a coordinated system to license security professionals.

Paired with another bill (S. 778) that would establish a White House Office of the National Cybersecurity Adviser to counsel the president on cyber issues and budget needs, the legislation is aimed at fostering information sharing between government and industry.

"You don't want to stymie innovation," Clarke said. "We want to create as many win-win scenarios as we possibly can. So I'm thinking we may want to take a deep breath" and look again at the Cybersecurity Act. Rockefeller's office did not respond to a request for comment.

Because passage of the GRID Act, sponsored by Reps. Ed Markey, D-Mass., and Fred Upton, R-Mich., could ride on these bills, it also faces an uncertain future. The GRID Act is aimed at preventing a collapse of the national electric grid and gives the Federal Energy Regulatory Commission authority to establish measures and mandates to prevent data breaches. It passed the House in June and has been reported to the Senate.

"From what we are hearing, there is interest in passing the bill, as part of a larger bill on general cybersecurity," Clarke said in a speech. "I am concerned that this approach will stall the potential passage of the bill, and the GRID Act may not, in the end, pass."

The lame-duck session is not the time to take up cybersecurity legislation, said J. Howard Beales III, a professor at The George Washington University's School of Business and former director of the Federal Trade Commission's Consumer Protection Bureau. "For the people who are going to be booted out, it's going to be hard for them to argue that our consensus is Congress' consensus," he said.

Beales, whose responsibilities at FTC included providing guidance to corporations on protecting consumer information, said information security can't be a series of mandates, but "needs to take a process-oriented approach."