Beyond CISPA: The cybersecurity bills you need to worry about right now

With CISA pushed to the back burner, the Senate is set to consider two alternative cybersecurity bills, both of which are far more expansive than CISPA — and each with many of the same problems, according to privacy advocates. Here is everything you need to know about the Cybersecurity Act of 2012 and the SECURE IT Act before they hit the Senate floor for a vote this month.

We’ve had a bit of a break from Congress’ cybersecurity legislative hoopla since the House passed the contentious Cyber Intelligence Sharing and Protection Act (CISPA) late last month. But with the Senate back from recess, the fight over Internet regulation is roarin’ and ready to roll.

Despite all the fears surrounding CISPA — a bill that would make it easier for the Federal government and businesses to share information (including users’ private communications) — the rumblings from Capitol Hill suggest that CISPA won’t even make it onto the Senate’s agenda, thanks to broad opposition from Senate Democrats and a veto threat from President Obama. (That’s right — you probably don’t have to worry about CISPA itself anymore, though that’s not saying much.) Instead, the Senate is expected to take up two alternative bills, the Cybersecurity Act of 2012 (CSA) sometime this week; and the SECURE IT Act, sometime this month.
Here is a (relatively) concise rundown of what these bills are, and why civil liberties advocates say they too threaten our individual privacy.

What is the Cybersecurity Act of 2012?

The Cybersecurity Act of 2012 (officially known as S. 2105, and often referred to in the press as the “Lieberman-Collins bill”) seeks to establish robust security standards to protect against “cyber threats,” with a particular emphasis on the protection of “critical infrastructure” networks in the U.S, such as electrical grids and air traffic control systems. Companies that operate such systems, assets, or networks would be required to prove to the government that they have certain safeguards in place to protect against cyberattacks.

Like CISPA, CSA also removes certain legal barriers to allow for greater information sharing between the government and the private sector. Finally, CSA establishes the Department of Homeland Security (DHS) as the Federal government’s lead agency for controlling the cybersecurity infrastructure.

Read the CRS summary of CSA here. Or read the full text here.

CSA was introduced to the Senate on February 14 by Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-CT), Ranking Member Susan Collins (R-ME), Commerce Committee Chairman Jay Rockefeller (D-WV), and Select Intelligence Committee Chairman Dianne Feinstein (D-CA). Only one other senator, Sen. Sheldon Whitehouse (D-RI), has co-sponsored the bill since its introduction, though it has explicit support from Senate Majority Leader Harry Reid (D-NV), and the Obama White House.

What is the SECURE IT Act?

Officially known as S. 2151 in the Senate, and H.R.4263 in the House, SECURE IT is a direct response to CSA. Like CSA and CISPA, both the Senate and House versions of SECURE IT remove legal barriers to allow for greater sharing of information between the government and businesses. Unlike CSA, however, SECURE IT does not establish a governmental regulatory system to oversee cybersecurity threats or to make sure that security standards are in place for critical infrastructure. Instead, SECURE IT provides a number of incentives to companies that choose to share “cyber threat information” with the Federal government.

Furthermore, SECURE IT establishes criminal penalties for a wide range of cybercrimes, from “trafficking in passwords” to causing damage to critical infrastructure networks or systems.

SECURE IT was first introduced by Sen. John McCain (R-AZ), and has seven co-sponsors in the Senate, all top-ranking Republicans. In the House, SECURE IT was introduced by Rep. Mary Bono Mack (R-CA), and has one co-sponsor.
Read the full text of S. 2151 here, and the full text of H.R. 4263 here.

What is the difference between the Cybersecurity Act of 2012 and SECURE IT?

Two words: government regulation
The fight over these two bills is classic Washington bi-partisanship. The Democrat-backed CSA establishes a governmental regulatory apparatus that would put in place certain mandatory security measures that private companies (specifically those that deal with critical infrastructure) would have to meet. While some say that CSA doesn’t go far enough towards enforcing these standards, Republicans don’t like this “big government” approach to cybersecurity at all. SECURE IT’s chief sponsor, Sen. John McCain, has called CSA a “regulatory leviathan.” And critics in the private sector insist that CSA would put harmful burdens on businesses. Read more