When a handful of Republican senators rolled out a new cybersecurity bill on Thursday, they chose to emphasize what the legislation does not do as opposed to what it does do.
The bill, titled the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (SECURE IT), includes no new funding authorizations, no new regulations and no new mandates on the private sector, Sen. Saxby Chambliss, R-Ga., said at a news conference.
It does not create new bureaucracy and it does not pile on new regulations, Sen. Lisa Murkowski, R-Alaska, said.
Chambliss and Murkowski are co-sponsoring the bill, along with Sens. John McCain, R-Ariz.; Kay Bailey Hutchinson, R-Texas; Chuck Grassley, R-Iowa; Dan Coats, R-Ind.; Ron Johnson, R-Wis.; and Richard Burr, R-N.C.
Chambliss, who is ranking member on the Senate Select Committee on Intelligence, said some would say the bill doesn't go far enough. However, the group drafted the legislation in direct response to the Cybersecurity Act of 2012, which the Republican senators believe goes too far.
"Rather than arming Homeland Security with expansive new regulatory authority over every sector of our economy, the SECURE IT cyber bill we've introduced today emphasizes a partnership approach between the government and private entities," Murkowski said.
Sens. Joe Lieberman, I-Conn.; Jay Rockefeller, D-W.Va.; Dianne Feinstein, D-Calif.; and Susan Collins, R-Maine, introduced the Cybersecurity Act of 2012 on Feb. 14.
Their bill would expand the authority of the Department of Homeland Security and would implement new regulations to try to protect critical infrastructure from cyber attacks. It would also create a National Center for Cybersecurity and Communications under the Department of Homeland Security.
After it was unveiled, some critics, including the U.S. Chamber of Commerce, said the demands on industry went too far, while others said it contained too many loopholes to make it effective.
The SECURE IT Act contains none of the regulatory provisions of the earlier bill. Instead, it would rely on existing federal cybersecurity centers to facilitate the voluntary sharing of cyber threat information among private companies and with the government.
"No new center is needed," Chambliss said.
"We do not have the time or the money to create new agencies," Coats said.
According to the bill's sponsors, the legislation eliminates some of the barriers that can keep companies from sharing cyber threat information, including antitrust laws that restrict the exchange of information between private entities.
While the sponsors of the SECURE IT Act think the Lieberman-Collins bill goes too far, others believe the earlier legislation already made too many concessions to industry concerns.
"As currently drafted, this bill includes significant loopholes that would keep our nation at risk," Jim Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, said at a Feb. 16 Senate hearing. "Some of these loopholes are intended to accommodate industry concerns. These industry concerns are understandable and the bill makes reasonable efforts to accommodate them. However, in a few instances, the language to assuage industry concerns goes too far and ends up putting national security at risk."
In recent days, Lieberman, Collins and Feinstein have shared supportive letters from various industry representatives, including the regional electric utility Pepco Holdings.
Senate Majority Leader Harry Reid, D-Nev., said he'll bring the Lieberman-Collins bill to the Senate floor, at which time McCain said he will offer the SECURE IT Act as a substitute piece of legislation.