New version of SECURE IT takes less regulatory approach than Democratic-backed Cybersecurity Act, sponsors say
A group of Republican senators on Wednesday introduced a revised version of a previously proposed bill that seeks to enhance cybersecurrity by improving the sharing of information between private industry and government.
The new Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act (SECURE IT) is being put forth as a less regulatory alternative to another Senate bill, the Cybersecurity Act, which was introduced earlier this year by Senate Democrats.
The main difference between the two bills is that, unlike the Democratic version, the Republican version does not give any new regulatory authority to the federal government to set cybersecurity standards. The new version of SECURE IT also restricts the purposes for which government can retain and use information about cyberthreats.
SECURE IT, backed by Sens. John McCain (R-Ariz.), Kay Bailey Hutchison (R-Texas), Chuck Grassley (R-Iowa), Saxby Chambliss (R-Ga.), Lisa Murkowski (R-Alaska), Dan Coats (R-Ind.), Ron Johnson (R-Wis.), and Richard Burr (R-N.C.), will allow companies to legally share real-time cyberthreat information from their networks with other industry stakeholders, law enforcement agents and government officials.
Security experts believe that such information-sharing is vital to combating cyberattacks. The bill will also encourage investment in tools and training for preventing and remediating cyberattacks.
In addition, SECURE IT seeks to strengthen criminal statutes against cybercrime and will require federal contractors to notify their government customers of any security incidents affecting their services.
Many of the objectives are similar to those proposed in the Cybersecurity Act. What’s different is that SECURE IT does not give the government any new regulatory authority.
The Democratic bill gives the U.S. Department of Homeland Security the right to evaluate the security practices of enterprises that operate components of the nation’s critical infrastructure. It would require operators that are found deficient in their security practices to work with the DHS to remedy the situation.
With SECURE IT, the focus is more on deterrence rather than regulation, according to a statement that the senators who sponsored the bill issued on Wednesday.
“I have no faith that federal regulators should take the lead on cybersecurity,” Sen. Johnson said in the statement. “The regulatory process simply cannot keep up with the rapid pace of technology. Rather than try to impose a comprehensive approach, we need to take this one step at a time — building confidence between government and the private sector, and ensuring protections for civil liberties.”
The revised version of SECURE IT tightens up the definition of cyberthreat information. It also spells out the responsibilities of government organizations and industry stakeholders when sharing information about cyberthreats.
It includes language aimed at ensuring that federal agencies adopt and update security tools for combating cyberthreats. “The surest and quickest way to improve cybersecurity in this country is to leverage the capabilities and flexibility of the private sector instead of creating costly layers of government bureaucracy,” Sen. Coats said in the statement.
House lawmakers passed their version of a similar information-sharing bill (H.R. 3523) in April. That bill, called the Cyber Intelligence Sharing and Protection Act (CISPA), attracted considerable criticism from privacy advocates and others, who fear it will eviscerate privacy rights.
President Obama has threatened to veto any cybersecurity bill that has the provisions that CISPA has.
Retrieved from Computerworld