Cybersecurity hawks agreed to voluntary measures instead of
government mandates. Privacy advocates are pleased, but others say
compromise bill doesn't protect vital national assets.
In a desperate bid to get a cybersecurity bill passed before
Congress adjourns in August, Senate hawks seeking to protect vital
national assets like the power grid blinked - offering up compromise
legislation that substitutes voluntary measures for government
Under the compromise, unveiled late Thursday, operators of gas
pipelines, refineries, water supply systems and other physical
assets vital to modern life in the US would voluntarily submit their
computer networks to testing by the Department of Homeland Security.
In return, they would get protection from financial liability in
case of a devastating cyberattack.
Key to the revamped version of the Cybersecurity Act is a public-
private partnership - a multi-agency National Cybersecurity Council -
chaired by the secretary of Homeland Security. It would assess risks
and vulnerabilities, but allow industry to recommend voluntary
practices to deal with cyberthreats.
Standards would be reviewed, modified or approved by the council.
Industry could also show their systems to be secure through self-
certification or third-party assessment. The companies would then be
eligible for liability protection.
"We are going to try carrots instead of sticks as we begin to
improve our cyberdefenses," Sen. Joe Lieberman (I) of Connecticut, a
co-sponsor of the legislation, said in a statement. "This compromise
bill will depend on incentives rather than mandatory regulations to
improve America's cybersecurity. If that doesn't work, a future
Congress will undoubtedly come back and adopt a more coercive
While he acknowledged the bill previously introduced in February
by himself and Sen. Susan Collins (R) of Maine "is stronger,"
Lieberman said the new "compromise will significantly strengthen the
cybersecurity of the nation's most critical infrastructure and with
it our national and economic security."
But others said the compromise Cybersecurity Act - which is aimed
at wooing votes away from an all-volunteer cybersecurity bill
offered by Sen. John McCain - is now too weak to truly protect the
nation's key computer networks, because it's voluntary.
"The best thing you can say about this new bill is that it
doesn't do much harm - but it also doesn't make things any better,"
says James Lewis, a cybersecurity expert with the Center for
Strategic and International Studies in Washington. "There are no new
authorities and everything in the bill could already be done under
an executive order. …