In the Senate there are two competing cybersecurity bills. S. 2105, Cybersecurity Act, which includes bill provisions authored by Senators Lieberman, Collins and Rockefeller, also incorporates cybersecurity recommendations for legislative reform provided by the White House.
Among the key provisions:
- Grants new powers on the Department of Homeland Security (DHS) for overseeing all federal cybersecurity policies, IT security requirements and enforcement mechanisms,
- Grants new powers on DHS to develop a process for coordinating and establishing measures for sharing information between the private and public sector related to cybersecurity threats and attacks upon operators and owners of entities deemed to be “critical infrastructures,” such as utility companies and nuclear facilities, and
- Grants authority to DHS to establish minimum security requirements and annual certifications for owners and operators of critical infrastructures to protect against cyber threats and attacks.
In opposition to S. 2105, Senator McCain introduced S. 2151, Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act, (SECURE Act). This bill promotes a self-regulatory model to protecting critical infrastructures:
- Creates an incentive based process for owners and operators of critical infrastructures for sharing information with government authorities on matters dealing with cybersecurity threats and attacks,
- Enhances criminal penalties for fraud and other illegal activity when using a computer, and
- Promotes greater federal investment in research and education in the area of cybersecurity.
Senate Majority Leader Reid has stated that that all of the attendant issues surrounding cybersecurity have been discussed during prior legislative sessions and there is no need to start the vetting process over. As a result, Senator Reid has stated that he plans to put S. 2105 and S. 2151 up for floor votes during the current legislative session.
The good news is that House Republican Leadership is moving forward with several important bills in the area of cybersecurity reform. The bad news is that absent from the debate is the need for data breach notification reform. CompTIA’s advocacy will continue the drum roll on this issue in an attempt to include a national preemption model for data breach notifications, but it will be a tough battle ahead.