Senators campaign for clause to assess infrastructure cyber defenses

A bipartisan group of senators wants to ensure that the major cybersecurity legislation headed for President Obama’s desk includes a provision they believe would help defend the nation’s critical infrastructure against a cyberattack.

The clause would require the Department of Homeland Security (DHS) to assess the cybersecurity readiness at roughly 65 companies behind the nation’s infrastructure, and develop a plan for preventing a “catastrophic” cyberattack.

{mosads}Eight senators wrote the House and Senate co-sponsors of the companion cyber bills, encouraging them to include the line in the final bill, which will be hammered out in conference in the coming months.

The cyber measures are intended to voluntarily encourage the private sector to share more information on hacking threats with the government. The House passed its two complementary measures in April, and the Senate followed by approving its companion bill in October.

As the two chambers come together to conference the bill, many are pushing to try and get their preferred portions included in the final text.

In Monday’s letter, eight senators insisted the DHS clause, written by Sen. Susan Collins (R-Maine), was critical to creating a strong cybersecurity bill.

“Ample evidence, both classified and unclassified, testifies to the threat facing critical infrastructure and the deficiencies in the cybersecurity capability to defend them,” it reads.

Collins was joined on the letter by her Republican colleague Dan Coats (D-Ind.). Democratic Sens. Martin Heinrich (N.M.), Mazie Hirono (Hawaii), Barbara Mikulski (Md.), Mark Warner (Va.) and Jack Reed, and Sen. Angus King (I-Maine) also signed the memo.

Lawmakers have been searching for ways to bolster the cyber defenses of critical infrastructure companies amid warnings from researchers and U.S. officials that the essential components, such as the power grid, are vulnerable to foreign hackers.

National Security Agency Director Adm. Michael Rogers recently told Congress that, on a scale of 1 to 10, the U.S. was at a “5 or 6” in its preparedness to defend its critical infrastructure against a major cyberattack.

The energy sector, in particular, has generated considerable concern, with lawmakers and researchers cautioning that the industry’s digital defenses are dangerously lagging and underfunded.

“In light of the cyber threat to critical infrastructure,” Collins recently said on the Senate floor, “the bare minimum we ought to do is to ask DHS and the appropriate federal agencies to describe what more could be done to prevent a catastrophic cyber attack on our critical infrastructure.”

Coalitions of industry groups — including those representing the financial, telecommunications and gas sectors — have pushed back against the provision. They believe it would infringe on the voluntary nature of the cyber bills and create “de facto regulatory mandates.” Under the bills, companies are not required to participate in any information exchange with the government.

The senators dismissed these claims in their letter, saying the clause “has been mischaracterized.”

The passage “is not counter to the overall voluntary nature of [the cyber bill], and it does not impose new incident reporting requirements,” the lawmakers insisted.

“Ironically, many of the trade associations who oppose this provision do not represent a single entity that would be covered,” they added.