As the fight over cyber security legislation shifts to the Senate, a battle line is being erected by the Administration and Senate Democrats: the need to establish mandatory cyber security standards for "critical infrastructure" companies such as electric utilities, gas pipelines and banks. In late-April, over the objections of the Obama Administration, the House passed the the Cyber Intelligence Sharing and Protection Act (CISPA), which allows private companies, including critical infrastructure players, to voluntarily share cyber threat information with government agencies.
Senate Democrats and the Administration opposed CISPA not only on inadequate privacy protection grounds but also because the bill fails to impose cyber security standards on critical infrastructure. Instead, they favor a bill introduced by Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME) that would give the Department of Homeland Security (DHS) the ability to impose minimum cyber security requirements on critical infrastructure companies.
In the midst of the legislative wrestling, Sen. John McCain (R-AZ), Ranking Member of the Senate Committee on Armed Services, has engaged in a lively exchange of letters with General Keith Alexander, Director of the National Security Agency and Commander of U.S. Cyber Command regarding his support of the Administration's position that requirements are needed. (Hat tip to the wonderful Lawfare blog for tracking these exchanges.) McCain kicked off the correspondence following March testimony by Alexander. Alexander responded on May 8 and McCain replied to that letter on May 9.
Both McCain and Alexander agree on the inevitability of a large-scale cyber attack on the U.S. In his initial letter, McCain said "I view the inevitability of a large-scale cyber attack as an existential threat to our nation." Alexander said that he shared McCain's view that "the United States will inevitably face a large-scale cyber attack."
Beyond that, though, the two military men disagree. Echoing Obama's position, Alexander thinks that "some minimum security requirements will be necessary to ensure that the core critical infrastructure is taking appropriate measures to harden its networks to dissuade adversaries and make it more difficult for them to penetrate those networks."
McCain, reflecting the Republican position, is fearful of creating a bureaucracy that will promote mere compliance with what he perceives to be ineffective regulations, particular under the DHS. "Our vulnerability to cybcr attacks will not be remediated by creating additional layers of bureaucracy in an agency already failing in several of its core missions.including aviation security and border control," he wrote.
In the meantime, Senator Jay Rockefeller (D-WV), a co-sponsor of the Senate bill, is reinforcing the line drawn by the Democrats. Yesterday he told reporters he is not open to removing the mandatory requirements provisions from the legislation. "That's just like giving up the basic national security protection of the country," he said.
Image courtesy of Occupy Los Angeles.