* Tech companies skeptical of costs, requirements
* Senate majority leader pushing cybersecurity proposal
* Cybersecurity expert says bill is "pretty vanilla stuff"
By Diane Bartz
WASHINGTON, Sept 21 Proposed cybersecurity
legislation circulating on Capitol Hill would give the
president the power to declare an emergency in the case of big
online attacks and force some businesses to beef up their cyber
defenses and submit to scrutiny.
The draft bill, a copy of which was obtained by Reuters,
allows the president to declare an emergency if there is an
imminent threat to the U.S. electrical grid or other critical
infrastructure such as the water supply or financial network
because of a cyber attack.
Industries, companies or portions of companies could be
temporarily shut down, or be required to take other steps to
The emergency declaration would last for 30 days, unless
the president renews it. It cannot last more than 90 days
without action from Congress.
The draft is a combination of two cybersecurity bills which
were merged into one at the urging of Senate Majority Leader
Harry Reid. "It (the draft bill) is something that we hope to
be able to pass before the end of the year, if we can," Reid
spokeswoman Regan Lachapelle told Reuters.
Industry opposition could make it a tough go for the bill
to get through the Senate and House of Representatives before
the end of the year.
Steve DelBianco, director of the trade group NetChoice,
whose members include Yahoo (YHOO.O), eBay (EBAY.O) and News
Corp (NWSA.O), objected to a part of the bill that would bar
companies designated as "critical" from fighting that
designation in court.
"That has to be amended to make this bill fair to the
businesses who will pay for it," he said.
The draft tries to calm fears that the government is
reaching too far into business operations by requiring specific
designations for which parts of a company or industry might be
considered "critical infrastructure."
"Citibank router A to the New York Stock Exchange may be
considered critical. It's not all of Citibank. It's not the
entire banking sector," said a Senate staffer who declined to
be identified because the staffer is not authorized to speak on
Cybersecurity experts have been warning of the possibility
of a massive attack for more than a decade, and hacking
attacks, including one on Google Inc (GOOG.O) and other
companies within the past year have sounded alarm bells.
Many attacks have been more minor in scope, including one
earlier on Tuesday on social networking website Twitter.
A presidential order may not be as dramatic as businesses
fear but could be as simple as requiring the installation of a
particular patch, said James Lewis at the Center for Strategic
and International Studies.
"I don't think this is a big deal. The president can order
people to take protective action," Lewis said. "People need to
take a deep breath. This is pretty vanilla stuff."
Even in the absence of an imminent threat, companies could
face government scrutiny. Company employees working in
cybersecurity would need appropriate skills. It also would
require companies to report cyber threats to the government,
and to have plans for responding to a cyber attack.
Technology and telecommunications companies oppose mandates
such as certifying cybersecurity professionals and requiring
portions of the network to be shut down to mitigate threats.
The draft is based largely on a proposal sponsored by
independent Senator Joseph Lieberman, Republican Susan Collins
and Democrat Thomas Carper, and one by Democrat Jay Rockefeller
and Republican Olympia Snowe.
Collins expects more negotiations and changes in the draft
to avoid regulatory costs and incentives to promote security
enhancements, a committee staffer said.
Negotiators working on the draft are considering allowing
critical infrastructure companies which are compliant with the
best practices to be protected from lawsuits demanding punitive
damages for a breach.
(Reporting by Diane Bartz. Editing by Robert MacMillan)
((firstname.lastname@example.org; +1-202-898-8313; Reuters
Keywords: CYBERSECURITY CONGRESS
(C) Reuters 2010. All rights reserved. Republication or redistribution ofReuters content, including by caching, framing or similar means, is expresslyprohibited without the prior written consent of Reuters. Reuters and the Reuterssphere logo are registered trademarks and trademarks of the Reuters group ofcompanies around the world.