Wed August 1, 2012
Senate Debates Cybersecurity Bill
Originally published on Thu August 2, 2012 5:31 am
STEVE INSKEEP, HOST:
This week, the Senate is considering a plan to improve cybersecurity. Its advocates say they want to prevent computer hackers from going after the power grid or other vital infrastructure in this country. Maryland Senator Barbara Mikulski contends a cyberattack could be worse than the freak storm that hit the nation's capital this summer.
SENATOR BARBARA MIKULSKI: It took us five days to get the utilities back on because of the utility company. But what happens if our destiny is outside of our control, that the cyberterrorists have turned off the lights in America and we can't turn them back on.
INSKEEP: OK. Sounds pretty dire, but lawmakers do not agree what to do about it. Here's NPR's Martin Kaste.
MARTIN KASTE, BYLINE: Like everything else in Washington these days, cybersecurity is about the familiar argument of big government versus little government.
PAUL ROSENZWEIG: There's nothing wrong with setting standards. There's everything wrong with thinking that the federal government is the right person to set the standards.
KASTE: Paul Rosenzweig dealt with cybersecurity in the Bush administration. He's wary of the Senate bill because it would allow Homeland Security to codify best security practices for Internet providers, utilities and financial institutions. Rosenzweig says nimble tech companies would find themselves taking direction from a slow-moving bureaucracy.
ROSENZWEIG: So we are absolutely guaranteed that the standards we come out with 36 months from now will be addressed to systems that are two generations old.
KASTE: Big tech companies and the U.S. Chamber of Commerce also warn of the cost of government-mandated security measures. So the bill's sponsor, Senator Joe Lieberman, recently agreed to make the standards voluntary. And he says he doesn't understand why the weaker bill is still viewed as burdensome.
SENATOR JOE LIEBERMAN: I mean, this is no more regulation of business than local building codes are regulation of business. We regulate building construction so people in the building are safe.
KASTE: But that analogy doesn't work for Jose Nazario, senior manager for security research at Arbor Networks. He says the problem with setting a building code for cybersecurity is that the basic conditions can change overnight.
JOSE NAZARIO: You know, this is like building a foundation with concrete and the next day finding out that concrete's actually flammable. That's the scenario that you're facing in cybersecurity.
KASTE: Even though minimum security standards wouldn't prevent the next hacking innovation, Nazario says they would push negligent companies to protect themselves from known dangers. Nazario also likes the fact that companies would be able to share suspicious Internet traffic with the government. The idea is earlier detection of threats.
But that, too, is controversial. Civil liberties groups say it could become a back-door form of surveillance. They especially hate the information-sharing in the House version of the bill passed in the spring. But Sharon Bradford Franklin, of the non-partisan Constitution Project, says the Senate has tightened that up.
SHARON BRADFORD FRANKLIN: Now the limitations on law enforcement use are much narrower. And really, overall, they're trying to make sure that the bill, as a cybersecurity bill, is focused in on cybersecurity purposes.
KASTE: Still, with the legislation now on the floor of the Senate, civil liberties groups are keeping a wary eye out for amendments that would broaden government access to Internet traffic, in the name of preventing a cyber-9/11.
Martin Kaste, NPR News. Transcript provided by NPR, Copyright NPR.