The Senate easily advanced a motion to proceed on their version of a cybersecurity bill yesterday, by an 84-11 vote. Clearly this bill, a separate version of which has already passed the House, has a broad degree of support. As if on cue yesterday, the head of the National Security Agency Keith Alexander, warned about increasing cyberattacks on the US, which this bill would purport to stop:
The top American military official responsible for defending the United States against cyberattacks said Thursday that there had been a 17-fold increase in computer attacks on American infrastructure between 2009 and 2011, initiated by criminal gangs, hackers and other nations [...]
General Alexander, who rarely speaks publicly, did not say how many attacks had occurred in that period. But he said that he thought the increase was unrelated to the release two years ago of a computer worm known as Stuxnet, which was aimed at taking down Iran’s uranium enrichment plant at Natanz.
When the worm inadvertently became public, many United States officials and outside experts expressed concern that it could be reverse-engineered and used against American targets. General Alexander said he saw no evidence of that.
The comments were made at the Aspen Institute but they were pretty clearly intended to pressure folks on Capitol Hill to progress the cybersecurity bill. And it worked.
The bill will work through amendments next week, and Harry Reid agreed to a relatively open amendment process for the time being. Al Franken, one of the leaders in improving the bill from its invasive, privacy-destroying CISPA shell, voted to advance the bill, praising the changes that have been made. But Franken also said that he would introduce an amendment that would deal with provisions to grant too much leeway on Internet service providers to openly monitor private communications and deploy countermeasures on those users based on the information. The shorthand for this is the “monitoring and countermeasures authorities” in the bill. Here’s an excerpt from Franken:
And after a lot of hard work and a lot of conversations, the sponsors made a series of changes to the bill that are major, unequivocal victories for privacy and civil liberties. Now, the bill is still not perfect. Far from it. But I can say with confidence that when it comes to protecting both our cybersecurity and our civil liberties, the Cybersecurity Act of 2012 is the only game in town [...]
Right now, the Cybersecurity Act and the President’s proposal are not in line with each other—because unlike the President’s proposal, the Cybersecurity Act does give ISPs and other companies a brand new right to monitor communications and to deploy countermeasures. That right is very broad. So broad that if a company uses that power negligently to snoop in on your email or damage your computer—they will be immune from any lawsuit.
I plan to offer an amendment to delete these new monitoring and countermeasures authorities and bring this bill in line with the President’s proposal. And I hope that my colleagues here in the Senate will join me in passing this amendment—seven of my colleagues have already indicated that they will cosponsor this amendment.
The President has also said that the Senate bill “lacked some of the key provisions of earlier bills,” though I believe he’s talking about mandates on critical operators of US infrastructure to improve their cybersecurity systems (those standards are now voluntary).
Some experts have expressed reluctance to pass this bill out of the Senate, for fear that the bad CISPA provisions get inserted in conference. That’s a legitimate concern, although gridlock is more likely, as the Chamber of Commerce objects to the Senate version, as do House Republicans. But on one of these bills that has a lot of momentum behind it, Franken is clearly trying to do the best he can to ameliorate any issues that may arise. We’ll see if his amendment can pass.