From: The Hill
Obama administration officials held a classified briefing with senators Wednesday to press for passage of comprehensive cybersecurity legislation this year, The Hill has learned.
Several senators on Thursday acknowledged to The Hill that they had taken part in the classified briefing. The session was requested by the Obama administration and included representatives from the White House, Federal Bureau of Investigation, the Department of Homeland Security, National Security Agency and Pentagon, as well as the bipartisan leadership of the committees with jurisdiction over cybersecurity.
All parties in the meeting agreed that there is an urgent need to address the rapidly growing threat to America’s computer networks, sources said.
But the lack of cooperation between the relevant agencies and committees has stalled the process since the Obama administration unveiled recommendations for cybersecurity legislation in May.
“There’s a feeling it needs to be done very, very soon,” said Sen. Chuck Grassley (R-Iowa), ranking member of the Judiciary Committee.
Grassley said he believes progress can be made through the working cybersecurity group set up by Senate Majority Leader Harry Reid (D-Nev.) and Minority Leader Mitch McConnell (R-Ky.) that is made up of the relevant committee heads, but not if different committees insist on moving forward independently.
The crux of the debate is deciding which firms should be deemed critical infrastructure and be covered by a new cybersecurity law. There is also debate over to what extent those companies should be required to comply with security standards established by the government.
Senate Homeland Security Chairman Joe Lieberman (I-Conn.) said the White House proposal was “not that different” from the comprehensive cybersecurity bills that have emerged from his panel and the Senate Commerce Committee.
Both the Senate and the White House plans task Homeland Security with overseeing private sector networks. But Lieberman noted the Senate bills include mandatory enforcement actions, while the White House plan relies on a weaker “name and shame” enforcement regime.
The House Republicans unveiled their own recommendations earlier this month. Their guidelines suggest a narrower definition of critical infrastructure than the White House or Senate and emphasizes information sharing with industry and incentives over mandatory security standards.
Unlike the White House, House Republicans would largely limit the rules to sectors that are already heavily regulated, such as nuclear power, and would task the existing regulators for those sectors with taking cybersecurity into account.
Senate Armed Services Committee chairman Carl Levin (D-Mich.) said another key issue is the extent to which critical infrastructure firms will be required to report cyber attacks to the government and what their liability would be in the event they share information with the government that is later exploited in an attack.
Levin said disagreement over the extent of government security mandates is central to the debate but believes progress has been made because all of the lawmakers involved feel the same urgency about passing something as soon as possible.
Lieberman acknowledged there is some debate over the issue but said he prefers to settle it in the open rather than behind closed doors.
“Let’s go to the floor and argue it out,” Lieberman said.
Lieberman said the turf war over which agency should be in charge of implementing the government’s cybersecurity plan has been largely resolved and there is a “broad consensus” that DHS is best suited to the task, with technical and intelligence support from the military and National Security Agency.
Lieberman also said cybersecurity continues to be a priority for Reid and the hope is to bring the Senate package to the floor for a vote before the end of the year. Grassley and Levin echoed the need for quick action on the issue.
Levin acknowledged his committee is still waiting for the Pentagon to clarify its policy on a number of cybersecurity issues such as when a cyberattack constitutes an act of war or which government agency is authorized to respond to such attacks. But he said there is agreement those issues are separate and they won’t delay the debate over cybersecurity legislation.