Sen. Joe Lieberman, I-Conn., answer questions during a press conference in Washington, D.C. (Win McNamee / Getty Images)
How powerful should the Department of Homeland Security be in setting and enforcing cybersecurity standards for privately owned "critical networks," such as those that run utilities and chemical plants?
That question is sharply dividing lawmakers as they consider in the coming weeks two competing bills that aim to beef up cybersecurity in critical industry sectors.
Proponents of legislation introduced last month by Sen. Joe Lieberman, I-Conn., argue that many privately owned critical systems are not secure and require federal regulation.
Sectors such as banking, finance and nuclear power already are required by law to meet specific cybersecurity standards. However, the water industry and subsectors of the energy industry — oil and natural gas — are not subject to federal rules; their efforts to address cyber vulnerabilities are voluntary.
Most of the critical infrastructure sectors reviewed by the Government Accountability Office for a December report did "not identify key guidance and standards for cybersecurity because doing so was not specifically suggested by DHS guidance," the report said.
"The level of protection varies a lot across the sectors and across the companies," said a senior cybersecurity official at DHS, who spoke on background because the legislation is pending. Lieberman's 2012 Cybersecurity Act, S 2105, would set a mandatory baseline for the most critical infrastructure, he said.
The bill would authorize DHS to create and regulate security standards for certain privately owned systems that, if attacked, would likely cause death, severe economic damage or harm to national security. Critical infrastructure that is not adequately regulated by another federal agency or properly secured voluntarily by a company would be subject to DHS regulations.
DHS would work with industry to set regulations for critical networks if none exist. Companies that can prove they are secure would be exempt.
"We think we are talking about a very small number of companies — probably in the low thousands — that would be [regulated]," the DHS official said. "It is not by any manner all the companies."
DHS worked with Lieberman to craft the bill. Sens. Susan Collins, R-Maine, John Rockefeller, D-W.Va., and Dianne Feinstein, D-Calif., co-sponsored the legislation.
The bill would also require the DHS and Defense secretaries and national intelligence director to designate federal and nonfederal entities as "cybersecurity exchanges" to encourage sharing of classified and unclassified cyber threat data.
The legislation would build on existing cybersecurity arrangements between DHS, industry and other federal agencies, he said.
Critics of the Lieberman bill say it prescribes an overly heavy-handed approach to the problem. The security mandates it would create would burden companies with heavy compliance costs, turn cybersecurity into a check-the-box routine, and stifle the adoption of innovative technologies, they say.
Sen. John McCain, R-Ariz., and seven Republican co-sponsors introduced their own bill March 1 that promotes voluntary information sharing of cyber threats between government and industry through existing partnerships. The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act (SECURE IT), S 2151, would not give DHS new regulatory authority.
"A super-regulator like DHS would impact free-market forces," McCain said at a hearing.
Several trade organizations representing critical industry sectors support information-sharing but are concerned DHS would overstep its boundaries as a regulator. "Private sector is not interested in being experimented upon," said Matthew Eggers, senior director of national security and emergency preparedness at the U.S. Chamber of Commerce.
Another concern is that regulations would not change fast enough to keep up with new cyber threats and would hinder adoption of innovative technology, said Robert Mayer, vice president of law and policy at the broadband association USTelecom, whose membership includes more than 100 telecommunications companies, such as AT&T and Verizon.
A Senate staffer familiar with the Lieberman legislation said some water, chemical and energy distribution companies could be regulated.
Skeptics of DHS' ability to regulate industry point to the department's troubled chemical facility security program, or CFATS. Congress in 2007 directed DHS to beef up the physical security and cybersecurity of chemical facilities.
But that program suffered from unstable leadership, inadequate training and poor hiring decisions, Rep. Dan Lungren, R-Calif., chairman of the House subcommittee that oversees the program, said at a hearing this month. DHS is taking steps to improve the program's effectiveness, said Rand Beers, undersecretary of DHS' National Protection and Programs Directorate.
The Lieberman bill would not require companies to submit cybersecurity plans to DHS and there would not be on-site inspections, except in certain cases, the DHS official said. Security requirements for covered critical infrastructure would focus on whether critical networks are secure and not how companies choose to meet security standards. Also, the bill requires companies to self-certify their cybersecurity annually or have a third party assess it.
"It's a much more arm's-length relationship," the senior DHS official said, adding that there have been many lessons learned from the CFATS program.