This afternoon, Senators John McCain (R-AZ), Kay Bailey Hutchison (R-TX), Chuck Grassley (R-IA), Saxby Chambliss (R-GA), Lisa Murkowski (R-AK), Dan Coats (R-IN), Ron Johnson (R-WI), and Richard Burr (R-NC) reintroduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act, which now bears the number S. 3342. (The text of the bill has not yet been published but will be posted here as soon as it becomes available.)
As outlined in the senators’ joint press release the SECURE IT Act would:
- Improve cybersecurity by collaborating with industry and eliminating barriers to enhanced information sharing.
- Create expedited information sharing for the private sector using existing structures and reporting relationships.
- Require federal contractors who provide cybersecurity-related services to a federal agency to report to those agencies significant cyber incidents related to those services.
- Strengthen criminal statutes for cyber crimes.
- Update the Federal Information Security Management Act (FISMA) to modernize the way the government manages and mitigates its own cyber risks.
- Leverage and strengthen existing programs in cybersecurity research and development.
The SECURE IT Act was first introduced on March 1, 2012 as S. 2151, and referred to the Senate Commerce Committee. With time for committee action limited and the bill unlikely to be reported by the committee, the senators reintroduced the bill under Senate Rule 14, which is a procedural move that permits the bill to go directly to the Senate floor. With the reintroduction, the senators also made enhancements to the bill to improve its provisions on federal contractors and strengthen its privacy and civil liberties protections.
Specifically, the bill’s definition of cyber threat information was tightened as an attempt to avoid the inclusion of consumer data in information that is shared about cyber threats. Further, the new language clarifies how cybersecurity centers will share information with federal entities, the private sector and each other. The bill also clarifies that the Federal government will have no authority to use or retain cyber threat information beyond the authority specifically granted in the bill. Additionally, this latest version of the bill includes expanded roles for the Privacy and Civil Liberties Oversight Board (PCLOB) and inspectors general to strengthen the Act’s privacy and civil liberties protections.
One of the principal differences between S. 3342, the SECURE IT Act, and S. 2105, the Cybersecurity Act –introduced by Senator Joe Lieberman (I/D-CT) in February 2012 – is that the SECURE IT Act does not include authority for the Department of Homeland Security (DHS) to create government-mandated cybersecurity standards for industry. Government mandates, however, are supported by the White House and DHS, and included in the Lieberman bill. The SECURE IT Act’s sponsor, Senator John McCain, stated, “The key to successfully fighting this threat is not adding more bureaucrats or forcing industries to comply with government red-tape. Instead, we must leverage the ingenuity and innovation of the private sector in partnership with the most effective elements of the federal government to address this emerging threat.”
Today’s action in the Senate follows passage by the House of Representatives in April of four cybersecurity bills as part of “Cyber Week”. Senate Majority Leader Harry Reid (D-NV) has indicated that the Senate will take up the Lieberman cybersecurity bill in July after members return from next week’s scheduled Congressional recess.