Three senators are expected to introduce a long-awaited cybersecurity bill this week that will overhaul the way the government protects critical networks.
Sens. Susan Collins, R-Maine, Joe Lieberman, I-Conn., and John Rockefeller, D-W.Va., are now putting final touches on the bill, which mirrors a reform proposal outlined by the White House in May.
The bill would authorize the Department of Homeland Securityto beef up security standards for privately owned critical networks, such as those affecting transportation and water systems, said Leslie Phillips, spokeswoman for the Senate Homeland Security and Governmental Affairs Committee. Companies operating such systems, however, could appeal DHS’ regulation of them, Phillips said.
“The private sector can decide how they’re going to meet those standards,” she said. “If they don’t meet those standards, they are breaking the law, and there are penalties.”
The bill does not define penalties but leaves it to DHS to decide the proper punishment for critical infrastructure operators that do not meet security standards.
A hearing is schedule next Thursday to discuss the bill.
Senate Majority Leader Harry Reid, D-Nev., had planned for the Senate to vote on cybersecurity legislation by Feb. 17, but that date will likely be pushed back. Phillips said the new bill is based heavily on past work by the Senate Commerce and Homeland Security and Governmental Affairs committees.
The bill also would:
• Revise the 2002 Federal Information Security Management Act to require continuous monitoring of agencies’ information technology systems and put an end to manual, paper-based reporting of agencies’ security levels.
• Outline how DHS and the private sector are to share cybersecurity information.
• Consolidate all infrastructure cybersecurity programs within DHS’ National Protection and Programs Directorate into a new unit called the National Center for Cybersecurity and Communications..
• Promote research and development, training and hiring of cyber professionals.
Unlike the White House proposal, the bill will not detail how and when companies, including those operating critical infrastructure, should report a breach to consumers. Phillips expects data breach notification will be added as an amendment to the bill. Government agencies already have guidelines for reporting breaches.