Senate Panel Approves Cyber-security Bill

The Rockefeller-Snowe legislation is the result of nearly a year's worth of consultation and input from cyber-security experts in the private sector, government and civil liberties community.

The U.S. Senate Committee on Commerce, Science, and Transportation approved the Cybersecurity Act of 2009 March 24. The legislation attempts to address the nation's well-documented flagging cyber-security efforts.

"The legislation is the culmination of a year's worth of consultation and input from cyber-security experts in the private sector, government and civil liberties community," committee said in a news release March 17. The legislation now moves to the Senate floor for a full vote.

"Our future is literally being stolen from us. Cyber-attacks and hackers are at work raiding property and proprietary information from U.S. companies and innovators," Commerce Chairman John D. Rockefeller said in a statement. "The status quo is not sustainable. We need a new model for the 21^st century. We must secure America's critical networks, innovation and competitiveness in the global market. The [bill] provides a framework for a fundamentally new approach to combating cyber-attacks."

The legislation "provides a framework for engagement and collaboration between the private sector and government on cyber-security, while protecting civil liberties, proprietary rights, and confidential and classified information," the committee said. The bill does not criminalize any conduct, contain any criminal law provisions or provide any resources for law enforcement agencies.

It does require a report and aims to "promote cyber-security public awareness, education, and research and development."

Bill co-sponsor Sen. Olympia Snowe said, "It is simply undeniable that cyber-intrusions and attacks represent both a potential national security and economic catastrophe as our vital information infrastructure-nearly 90 percent of it-is owned and operated by the private sector. Without adequate cooperation between the public and private sectors to protect our critical infrastructure information systems-our strategic national assets-we risk a cyber-calamity of epic proportions with devastating implications for our nation."

The bill "requires the president to collaborate with owners and operators of critical infrastructure IT systems, through the existing sector coordinating councils, to develop and rehearse detailed cyber-security emergency response and restoration plans. The explicit purpose of this section is to clarify roles, responsibilities and authorities of government and private-sector actors in the event of a cyber-security emergency that threatens strategic national interests. ... The president's declaration of a cyber-security emergency would trigger the implementation of the collaborative emergency response and restoration plans."

There is nothing, however, in the bill authorizing "new or expanded presidential authorities. ... To establish greater accountability for the president's actions during a declared emergency, the [bill] also requires the president to report to Congress in writing within 48 hours of the declaration regarding the circumstances necessitating the declaration, and the estimated scope and duration of the emergency."