Monday, March 19, 2012

McCain vs. Lieberman - SecureIT vs. Cybersecurity Act of 2012

Senator John McCain along with 5 other Republican senators released their counterproposal to the Lieberman-Collins Cybersecurity Act of 2012 released last month. The bill is called the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology (Secure IT) Act. Let me start by saying that when I see a bill that cleverly named so as to have an acronym that is readable, I immediately wonder how serious the authors of a bill are about its passage. I can't think of any bills off the top of my head that have actually passed that have been so named. HIPAA? Sarbanes Oxley? Digital Millenium Copyright Act?

I'm not sure how long it took McCain and the other Senators to write their counterproposal bill. It isn't clear whether the bill was already in progress or whether they started last month after hearing about the competing legislation. In any event, McCain’s bill was introduced only a week after the Lieberman bill. The Lieberman purports to have been the result of 3 years of negotiation and research. Mostly, the McCain bill appears to be a hodgepodge of the Cybersecurty Act of 2012 and other preexisting bills, with a ton of deletions and insertions of partisan elements.

Let’s look at the similarities and differences between the two bills:

Both bills have some provision for a Federal Cyber Scholarship-for-service program. The McCain bill copies word for word the first paragraph of the Lieberman bill. Where the Lieberman bill has provisions for how many scholarships are to be given (1,000) and provides for full tuition, the McCain bill provides no guidance on how many scholarships will be given, and only provides for tuition for 2 years of study. The Lieberman bill requires students to enter into a commitment for the same amount of time they spent in school, while the McCain bill requires one and a half times.

If I were a student, I’m not sure I’d be interested in the McCain offer. Less money for longer indentured servitude? Unfortunately, not many students would be able to sign up for the McCain proposal, since the McCain bill specifies that no additional funding will be allocated for Cybersecurity. This means that any money for scholarships would have to be carved out of departments individual budgets…presumably why the McCain bill doesn’t specify a specific number of scholarships. Presumably that number would be close to 0.

No new funding is problematic where issues of national security and defense come into play. If the national air traffic control network, for example, needs to be completely scrapped and a new secure network needs to be deployed, how could that be accomplished under the McCain bill? The FAA would have to carve that out of its budget, and small upgrades would have to happen over a long period of time. This is perhaps why Lieberman and Rockefeller have been so outspoken in their criticism of the McCain bill since the counterproposal.

The Lieberman bill has several sections that the McCain bill is missing entirely:


  • Information Sharing

  • Public Awareness Reports

  • International Cooperation
The Lieberman bill creates affirmative authorities to monitor and defend against cybersecurity threats and allows for coordination of cyber issues within the US government. It addresses FISMA and attempts to address Federal agency purchasing and planning for Information Security, and explicitly discusses savings. It has considerations of international coordination. Finally, it creates the notion of Federal and non-Federal Cybersecurity Exchanges which would allow for the sharing of both classified and non-classified information. The Lieberman bill seems to be attempting to address the issue with Federal agencies claims that they were not allowed to share information prior to September 11th, 2001, one of the main drivers behind the Patriot Act and the creation of the Department of Homeland Security.

The McCain bill has several sections that the Lieberman bill is missing:


  • High Performance Computing

  • Criminal Penalties

The Lieberman bill only mentions High Performance Computing once to make one small amendment while the McCain bill focuses on it for several pages. My only thought here is why? McCain’s changes to the High Performance Computing act of 1991 don’t even really have anything to do with security. The changes mostly read as funding modifications, which make me think this whole bill is about pork, and not security.

The Criminal Penalties section amends the Computer Fraud and Abuse Act, but mostly focuses on stiffening penalties and forfeiture of property directly or indirectly gained by said fraud and abuse. While these are okay goals of the act and could potentially be added to the Lieberman bill, the miss the point of the reality of hacking today. The most successful hackers operate internationally and are very difficult to capture. The McCain bill does nothing to address this new reality.