EXCLUSIVE-Cyber bill would give U.S. emergency powers

Tue Sep 21, 2010 6:21pm EDT

* Tech companies skeptical of costs, requirements

* Senate majority leader pushing cybersecurity proposal

* Cybersecurity expert says bill is "pretty vanilla stuff"

By Diane Bartz

WASHINGTON, Sept 21 (Reuters) - Proposed cybersecurity legislation circulating on Capitol Hill would give the president the power to declare an emergency in the case of big online attacks and force some businesses to beef up their cyber defenses and submit to scrutiny.

The draft bill, a copy of which was obtained by Reuters, allows the president to declare an emergency if there is an imminent threat to the U.S. electrical grid or other critical infrastructure such as the water supply or financial network because of a cyber attack.

Industries, companies or portions of companies could be temporarily shut down, or be required to take other steps to address threats.

The emergency declaration would last for 30 days, unless the president renews it. It cannot last more than 90 days without action from Congress.

The draft is a combination of two cybersecurity bills which were merged into one at the urging of Senate Majority Leader Harry Reid. "It (the draft bill) is something that we hope to be able to pass before the end of the year, if we can," Reid spokeswoman Regan Lachapelle told Reuters.

Industry opposition could make it a tough go for the bill to get through the Senate and House of Representatives before the end of the year.

Steve DelBianco, director of the trade group NetChoice, whose members include Yahoo (YHOO.O), eBay (EBAY.O) and News Corp (NWSA.O), objected to a part of the bill that would bar companies designated as "critical" from fighting that designation in court.

"That has to be amended to make this bill fair to the businesses who will pay for it," he said.

The draft tries to calm fears that the government is reaching too far into business operations by requiring specific designations for which parts of a company or industry might be considered "critical infrastructure."

"Citibank router A to the New York Stock Exchange may be considered critical. It's not all of Citibank. It's not the entire banking sector," said a Senate staffer who declined to be identified because the staffer is not authorized to speak on the record.

Cybersecurity experts have been warning of the possibility of a massive attack for more than a decade, and hacking attacks, including one on Google Inc (GOOG.O) and other companies within the past year have sounded alarm bells.

Many attacks have been more minor in scope, including one earlier on Tuesday on social networking website Twitter. [ID:nN21168806]

'VANILLA STUFF'

A presidential order may not be as dramatic as businesses fear but could be as simple as requiring the installation of a particular patch, said James Lewis at the Center for Strategic and International Studies.

"I don't think this is a big deal. The president can order people to take protective action," Lewis said. "People need to take a deep breath. This is pretty vanilla stuff."

Even in the absence of an imminent threat, companies could face government scrutiny. Company employees working in cybersecurity would need appropriate skills. It also would require companies to report cyber threats to the government, and to have plans for responding to a cyber attack.

Technology and telecommunications companies oppose mandates such as certifying cybersecurity professionals and requiring portions of the network to be shut down to mitigate threats.

The draft is based largely on a proposal sponsored by independent Senator Joseph Lieberman, Republican Susan Collins and Democrat Thomas Carper, and one by Democrat Jay Rockefeller and Republican Olympia Snowe.

Collins expects more negotiations and changes in the draft to avoid regulatory costs and incentives to promote security enhancements, a committee staffer said.

Negotiators working on the draft are considering allowing critical infrastructure companies which are compliant with the best practices to be protected from lawsuits demanding punitive damages for a breach.

(Reporting by Diane Bartz. Editing by Robert MacMillan)

((diane.bartz@thomsonreuters.com; +1-202-898-8313; Reuters Messaging: diane.bartz.reuters.com@reuters.net)) Keywords: CYBERSECURITY CONGRESS

(C) Reuters 2010. All rights reserved. Republication or redistribution ofReuters content, including by caching, framing or similar means, is expresslyprohibited without the prior written consent of Reuters. Reuters and the Reuterssphere logo are registered trademarks and trademarks of the Reuters group ofcompanies around the world.