Lieberman and Allies Offer New Compromise Cybersecurity Proposal

By Tim Starks, CQ Staff

Sponsors of the chief Senate cybersecurity bill have written a new version of the legislation that scales back the measure’s regulatory authority, hoping to clear a path for long-awaited floor action.

The revised bill (S 3414) would make compliance with new security standards voluntary, rather than mandatory, for businesses that own the most vital computer networks. It offers those companies legal immunity in the event of an attack and other incentives in exchange for establishing that they are meeting a certain standard of protection, according to a summary provided by the bill’s sponsors on Thursday.

Senators and aides have said cybersecurity legislation could be on the floor as soon as next week, and the revised bill would form the basis of floor debate. In rewriting the bill, the sponsors are trying to bridge a gap between their own ambitions to compel industry to improve cyber defenses and the view held by business groups and many Republicans that mandatory security regulations are unwise.

An earlier version of the bill (S 2105) had backing from the White House, but Republicans opposed it for including mandatory security standards for some businesses. As such, the bill didn’t have enough support to get through the Senate, even with Majority Leader Harry Reid, D-Nev., declaring cybersecurity legislation one of his top priorities this year.

It is unclear whether the revised bill could win floor passage as is, but it stands to win over at least some GOP senators.

The bill is sponsored by Homeland Security and Governmental Affairs Chairman Joseph I. Lieberman, I-Conn.; the panel’s top Republican, Susan Collins of Maine; Commerce, Science and Transportation Chairman John D. Rockefeller IV, D-W. Va.; Intelligence Chairwoman Dianne Feinstein, D-Calif.; and Thomas R. Carper, D-Del.

The revised bill reflects an attempt at drafting a compromise by Sens. Sheldon Whitehouse, D-R.I., Jon Kyl, R-Ariz., and a variety of other lawmakers from both sides of the aisle between the Lieberman bill and another measure (S 2151) sponsored by Arizona’s John McCain and other GOP senators that included no new security requirements whatsoever.

“I had previously sponsored a bill with a stronger regulatory approach to resolve this problem, but it’s become clear that some members of the Senate would not support that approach,” Rockefeller said in a news release.

Said Lieberman: “We are going to try carrots instead of sticks as we begin to improve our cyber defenses. This compromise bill will depend on incentives rather than mandatory regulations to strengthen America’s cybersecurity. If that doesn’t work, a future Congress will undoubtedly come back and adopt a more coercive system.”

For companies providing evidence that they are employing the industry-recommended, federal-government-approved security standards, incentives would include liability protection, expedited security clearances and “priority assistance” from the government on cyber issues, according to the bill summary.

As with both the original Lieberman and McCain bills, the revised measure would include provisions designed to strengthen the sharing of threat information between the federal government and the private sector, as well as provisions aimed at shoring up the federal government’s defenses of its own computer networks.

Feinstein said the revised bill also improves upon its privacy protections for information shared between the government and businesses, a point of contention for a number of Senate Democrats.

Civil liberties groups campaigned hard against a House-passed information-sharing bill (HR 35223) that they maintained did not adequately safeguard data on U.S. citizens.