Two competing bills are sharply dividing lawmakers in Washington D.C. as they attempt to define how the Department of Homeland Security should regulate cybersecurity in privately owned critical systems, according to an article in the Federal Times.
Legislation from Sen. Joe Lieberman, I-Conn., argues that many privately owned critical systems, such as those that run utilities or chemical plants, are not secure and require federal regulation, the article says. Sectors such as banking, finance and nuclear power already are required by law to meet specific cybersecurity standards, but the water industry and some subsectors of the energy industry (oil and natural gas) are not subject to federal rules. Their efforts to address cyber vulnerabilities are voluntary.
The bill would authorize DHS to create and regular security standards for certain privately owned systems that, if attacked, would likely cause death, severe economic damage or harm to national security, the article says. Companies that can prove they are secure, however, would be exempt.
"We think we are talking about a very small number of companies — probably in the low thousands — that would be [regulated]," said a senior cybersecurity DHS official in the article. "It is not by any manner all the companies."
The bill would also require the DHS and Defense secretaries and national intelligence director to designate federal and nonfederal entities as "cybersecurity exchanges" to encourage the sharing of classified and unclassified cyber threat data, building on existing cybersecurity arrangements between DHS, industry and other federal agencies, the official said.
On the other side of the debate is a bill set forth by Sen. John McCain, R-Ariz., and seven Republican co-sponsors on March 1. This bill promotes voluntary information sharing of cyber threats between government and industry agencies through existing partnerships, refusing new regulatory authority to the DHS, the article says.
"A super-regulator like DHS would impact free-market forces," said McCain at a hearing.
Central concerns from the article against Lieberman's bill include:
- DHS might overstep boundaries as a regulator
- Regulations might not change fast enough to keep up with new and evolving cyber threats
- Regulations might hinder adoption of innovative technology
According to the article, the Lieberman bill would not require companies to submit cybersecurity plans to DHS and there would be no on-site inspections, except for certain cases, the DHS official said. Security requirements for covered critical infrastructure would focus on whether said networks are secure and not how companies choose to meet security standards. The bill also requires companies to self-certify their cybersecurity annually or have a third party assess it, Federal Times reports.