Senate Democrats this week unveiled their latest attempt to clarify and modernize the security of the country’s critical information technology infrastructure. An attempt to pass cybersecurity legislation introduced by Sens. Joseph Lieberman (I-CT) and Susan Collins (R-ME) stalled on December 15 when the full Senate failed to act on the measure after it was voted unanimously out of committee.
The currently skeletal legislation, S.21, sponsored by Senate Majority Leader Harry Reid and seven committee chairs, is anticipated to include most of the Lieberman-Collins measure. But given its yet-to-be-determined final form, debate about its effects on privacy and executive power have reemerged.Over the weekend, CNET’s Declan McCullagh predicted the re-introduction of Lieberman’s cybersecurity bill, which he inaccurately dubbed the “Internet kill switch” last year. McCullagh suggested the measure would contain language slipped into the original bill at the 11th hour — language he said would exempt it from judicial review.
“The idea that the Committee’s bill was exempt from judicial review at any time is false,” said Leslie Phillips, communications director for the Senate Homeland Security Committee. While the measure does restrict review of the classification of private assets as critical to national security to an internal DHS process, the law itself would be no less subject to judicial scrutiny as any other act of Congress. According to Phillips, the review process was added during the bill’s markup in June.
As TPM reported over the summer, the Lieberman-Collins measure wasn’t designed or intended to give broad new authority to the executive branch (nor establish an “Internet Kill Switch”). Instead, it was designed to, with the help of the industry, to determine which infrastructure was actually critical and how to best protect it to prevent a catastrophic event and mitigate the fallout from one based on existing authority. The legislation, in fact, prohibits the government from telling companies what specific security protocols they should implement and focuses instead on the results companies must achieve.
An aide quoted in the CNET piece, Brandon Milhorn, Staff Director and Chief Counsel for Sen. Collins on the Senate Homeland Security Committee, emphasized the importance of the legislation as a means to establish guidelines that could head off large-scale disaster.
“There are systems and assets out there — particular nodes in our information technology networks — that are so sensitive, would cause so much damage if disrupted that we need to work closely with the private sector to make sure we understand what owner/operators are doing to secure those systems,” Milhorn said. “We’re not talking about entire companies, we’re not talking about entire systems at a company, we’re talking about particular nodes in a company” that could create the kind of damage defined in the bill if successfully attacked.”
Some analysts understand why the industry would be concerned if the legislation was actually exempt from review. “With this kind of determination, you’re going to have regulations and restrictions imposed on you. I can see why a company would want a review of that” said Michael McNerney, a fellow at the Truman Project, a national security think tank based in Washington. McNerney suggested, however, that the DHS review process outlined in Lieberman-Collins is both sufficient and constitutional. “Applying a regulation to a defined a group is different than, say, the government violating your fourth amendment rights.”
While it is impossible to know what a finalized S.21 is going to contain, its introduction offers critics another opportunity to work with Congress to ameliorate their concerns.
“Overall, I give Lieberman-Collins a B,” said McNerney. “There are still plenty of things we could do better.”
Late update: Reid spokesman Jon Summers sent the following statement: “This bill is an important first step towards a comprehensive effort to protect our nation’s cyber security from threats from state actors, criminals and terrorists wishing to do us harm. Cyber security is equally important to both economic prosperity and national security, and our efforts will always balance those goals. The Lieberman-Collins and Rockefeller-Snowe bills are critically important first steps, and our staffs have been working together over the last year to integrate them with additional proposals to address the full array of challenges we face in the cyber arena.”