As expected, cybersecurity has been a major issue in both chambers of Congress. Thus far, there are competing bills in both the House and Senate that would take steps to change the way the federal government and private sector industries prepare for a possible cyber threat.
Last week, the Senate Judiciary Committee held a hearing on “The Cybersecurity Act,” a bipartisan bill introduced by Senators Joe Lieberman (I-CT) and Susan Collins (R-ME). The Cybersecurity Act is seen as the most likely vehicle for passage in the Senate but is not without detractors and is likely to be changed before going to the floor for a vote. Several Republican Senators, including Senator John McCain (R-AZ), strongly oppose the Cybersecurity Act and have introduced a bill that would authorize a broad information sharing program between the private sector and the government, but which does not include provisions included in the Lieberman-Collins bill granting the Department of Homeland Security authority to regulate “covered critical infrastructure” like energy and finance companies.
The hearing last week outlined another major concern with the Lieberman-Collins bill: public disclosure and privacy. Under scrutiny are exemptions within the bill to the Freedom of Information Act (“FOIA”) and whether the legislation in its current form strikes the proper balance between security and the public's right to know. Privacy advocates have expressed concerns that the legislation’s broad definition of "critical infrastructure information," will lead to an exempting of additional information from FOIA that is currently protected. Judiciary Committee Chairman Patrick Leahy (D-VT) has vowed to keep FOIA exemptions in the act as narrow as possible, indicating that he intends to seek changes to the bill before giving it his endorsement.
In the House, a bipartisan working group of staff from members of the House Energy and Commerce Subcommittee Communications and Technology held a day long session of meetings with stakeholder’s to discuss issues related to cybersecurity that fall under the Committee’s jurisdiction. Among the issues raised by the working group was whether a code of conduct could be implemented either by statute or through voluntary action by industry to improve the countries defense from a cyber attack.