Senators introduce long-awaited cyber bill

Tuesday - 2/14/2012, 6:57pm EST

Three senior senators today finally introduced the long-awaited comprehensive cybersecurity bill.

The three-year effort, now known as the Cybersecurity Act of 2012 (S. 2105) is an attempt to secure federal systems by updating the Federal Information Security Management Act (FISMA) and expanding the role of the Homeland Security Department in securing critical infrastructure, such as the power grid, water systems and other sectors that are vital to the nation.

The bill comes on the heels of President Barack Obama asking for a major upgrade of $751 million at DHS alone in the fiscal 2013 budget request sent to Congress Monday. In addition to money for DHS, the administration is making cybersecurity one of 14 governmentwide initiatives.

All of these efforts signal one of the strongest pushes by both Congress and the administration to address cyber vulnerabilities in the government and in the private sector in the last three years.

"Consider the warning signs, hackers now seem to be able to routinely crack the codes of our government agencies, including the most sensitive ones," said Sen. Jay Rockefeller (D-W.Va.) in a floor statement introducing the bill Tuesday. "Our Fortune 500 companies, they do routinely, and then everything in between. Adm. Mike Mullen, former Joint Chiefs chairman, said the cybersecurity threat is the only other threat that is on the same level as Russia's stockpile of nuclear weapons. Loose nukes, if you will. FBI Director Robert Mueller testified to Congress very recently that the cyber threat will soon overcome terrorism as the top national security focus of the FBI."

Part of an evolutionary process

The latest bill also follows closely the administration's cybersecurity proposal sent to Capitol Hill in May.

The Senate bill, which also is sponsored by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), is part of an evolutionary process that has been vetted wide and far, said a Senate staff member during a press briefing on the bill Tuesday.

Within hours, seven Senate Republicans wrote to Majority Leader Harry Reid (D-Nev.) and minority leader Mitch McConnell (R-Ky.) asking for other committees to have input in the cyber legislation process.

"The chair and ranking member of the Committee on Homeland Security and Governmental Affairs have recently introduced their latest legislative proposal, which as drafted, does not satisfy our substantial concerns," the lawmakers wrote. "If we are serious about enacting effective legislation into law, we must provide all members of the Senate an opportunity to become adequately informed by regular order. This is not the kind of legislation that can result in a carefully balanced solution unless the full process is afforded."

Sens. Kay Bailey Hutchison (R-Texas), John McCain (R-Ariz.), Chuck Grassley (R-Iowa), Saxby Chambliss (R-Ga.), Lisa Murkowski (R-Alaska), Jeff Sessions (R-Ala.) and Mike Enzi (R-Wyo.) want more hearings with the jurisdictional committees so the members can learn about the bill.

But other Senate staff members said they've conducted more than 150 meetings over the last three years with lawmakers, companies, industry associations, agencies, cybersecurity, privacy and civil liberties experts and many others and those conversations have led to several significant changes.

In the final version, senators stripped out the Senate-confirmed White House cyber policy director and office. A staff member said there wasn't a lot of support for it and it wasn't worth the holding up the bill for it.

The bill also clarifies language in the FISMA section detailing the actions agencies can take if a vendor's system holding government data is under cyber attack or considered vulnerable.

The second staff member said the committees heard the vendors' concerns.

Includes provisions to improve cyber acquisition

The bill now defines any lawful action as one to "require the remediation of or protect against identified information security risks with respect to information collected or maintained by or on behalf of an agency; or that portion of an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency."

The bill also includes new provisions to improve federal acquisition of technology products and services: