Security Bills Bruised by Lingering Fight

The ghosts of two doomed antipiracy bills hang over a new and unrelated issue on Capitol Hill: proposed legislation to help secure the nation’s nuclear plants, water systems and other essential infrastructure from hackers and terrorists.
In both houses of Congress, legislation is gaining steam that would authorize the federal government to regulate the security of privately owned critical infrastructure, much of which is controlled by Internet-connected systems and susceptible to being hacked. The legislation is already riven by competing interests and fears.

National security interests want the government to be able to collect and analyze information from private companies about how they protect themselves from attack. Those companies are skittish about government regulation generally. Civil liberties advocates warn against excessive information-gathering by the state in the name of computer security.

And members of Congress are wary of taking any steps that could infuriate the Internet lobby, which scored a surprise victory against would-be antipiracy laws last month.

Representative Dan Lungren, Republican of California, who recently introduced a computer security bill, acknowledged that Capitol Hill had learned some lessons about the new political muscle of technology companies and their users.

“One of the things we learned is that we have to raise the debate such that no one believes things are being done behind closed doors,” Mr. Lungren said in a phone interview.

A Congressional aide who did not want to be named because he was not authorized to speak to the media, put the lessons of the antipiracy efforts more bluntly. Some members, the aide said, “were kind of scarred by that experience and don’t want to go down any road where they are viewed as regulating the Internet.”

In fact, the latest network security bills do not regulate the Internet, and it is not clear whether they will gain popular traction, either for or against.

The Senate computer security bill is expected to be introduced as early as Friday by Joseph I. Lieberman, Susan M. Collins and John D. Rockefeller IV. It would give the Department of Homeland Security regulatory authority over those essential services companies where an attack could jeopardize human life or national security. It would compel critical infrastructure companies and government agencies to share information about threats and breaches, and would give the government power to impose sanctions on companies that run afoul of the law.

Details of the bill are still being negotiated. A hearing on it is scheduled for next week.

The House version of the bill, which Mr. Lungren proposed in December and is expected to come before a full committee in coming weeks, allows Homeland Security to lay out performance standards on security, but does not give it explicit powers to regulate.

Kevin Richards, vice president for government affairs at TechAmerica, a trade group that represents large government contractors like Lockheed Martin, said its members were wary of the government’s telling them what to do. “When it comes to the tech community and Capitol Hill, we look at two cardinal rules,” Mr. Richards said. “First is, ‘Do no harm.’ Second is, ‘Beware unintended consequences.’ ”

The government, he suggested, would do better to focus its energies on improving its own security. “It’s important for our community to remain flexible and nimble in how we respond to the evolving cyberthreat,” he said. “The government should lead by example when it comes to securing its network.”

Neither the private sector nor government agencies have been immune to attacks. Large government contractors like Lockheed Martin and Booz Allen Hamilton have suffered from embarrassing intrusions in recent months, along with the security agency RSA and even the Federal Bureau of Investigation.

Security researchers have repeatedly pointed to gaping holes in the way industrial systems are protected, including those that handle power grids and oil rigs. The vulnerabilities are all the more worrisome as more and more of these systems are connected to the Internet. Passwords can be weak. Data can be transmitted without encryption. Hackers can remotely turn machines on and off, or tweak critical processes by adjusting valves.

“Failure to properly control or restrict access to these elements can lead to catastrophic accidents,” Paul Ferguson, a researcher with TrendMicro, a security firm, concluded recently in a blog post on his company’s site.

The best-known computer attack on an industrial system used a computer worm called Stuxnet, and appears to have been aimed at Iran’s nuclear arms program. Some evidence indicates that it was a joint project of the United States and Israel.

James A. Lewis of the Washington-based Center for Strategic and International Studies, a research organization, worried that industry lobbying would produce a watered-down law that would do little to deter attacks.

“The ideology of the market that dominates American politics, that government ‘is the problem,’ puts us at a disadvantage, because it’s certainly not true for defense,” Mr. Lewis said. “A weak bill guarantees a hit.”

The Obama administration has been nudging Congress to act on digital security, an issue that seems to garner rare bipartisan energy.

James R. Clapper, director of national intelligence, told a rare open hearing of the Senate Intelligence Committee last week that “market incentives” had kept both the private and public sector from being able to keep up with increasingly sophisticated online attackers. “Cyberthreats pose a critical national and economic security concern,” he said in testimony.

One of the sticking points in any security legislation is likely to be who can look at the information that private industry reveals about its own vulnerabilities and breaches. The intelligence community is keen to have access to it. Others are keen to keep it out of their reach.

One civil liberties group in Washington warned that companies and their customers might become worked up if they discovered that intelligence agencies were trying to extract as much information as possible in the name of security.

“I think there is a risk in moving too fast to authorize sharing of so much information that it puts privacy at risk and upsets a lot of the same people who spoke out” against the antipiracy legislation, said Gregory T. Nojeim, senior counsel at the Center for Democracy and Technology, an advocacy group that is supported by the technology industry.
Copyright: http://www.nytimes.com/2012/02/09/technology/digital-security-bills-bruised-by-a-lingering-antipiracy-fight.html?ref=technology