Cybersecurity Bill: Vital Need Or Just More Rules?

Legislation sponsored by Sens. Joe Lieberman (I-CT), Susan Collins (R-Maine), and others, would require owners and operators of critical infrastructure assets to notify the Department of Homeland Security of any and all cyber intrusions into their operating systems. Currently, such reporting is strictly voluntary, and security experts say only a fraction of the incidents come to the government's attention.

The Lieberman-Collins initiative would also establish baseline cybersecurity standards that all companies in an industrial sector would be required to meet. The legislation, however, has run into stiff opposition from private firms, the Chamber of Commerce and from members of Congress who view it as heavy-handed. "Unelected bureaucrats at the [Department of Homeland Security] could promulgate prescriptive regulations on American businesses," charges Sen. John McCain (R-AZ), the co-author of an alternative cybersecurity bill that favors voluntary information sharing between the government and private industry. Advocates of mandatory cybersecurity standards, however, say the owners and operators of critical assets have consistently underestimated their vulnerability to cyberattacks and therefore are unlikely on their own to take the steps necessary to bolster their own defenses, particularly if they cost money.

The wrangling over cybersecurity, however, is not strictly partisan. Among the advocates of tough, compulsory measures are several former Bush administration officials, including Michael Chertoff, a former secretary of Homeland Security, and Michael McConnell, a former director of National Intelligence, as well as FBI Director Robert Mueller, who has served under both Presidents Obama and Bush. McConnell is especially dismissive of the argument that the mandatory cybersecurity measures being proposed would be anti-business.