Capitol Hill staffers have made progress stitching together cybersecurity proposals into a huge bill, aides said, with Senate leadership putting it on their short list for passage this year.
But stiff industry opposition and partisan tensions still make it unlikely comprehensive legislation will pass in 2010.
The legislation would require companies who sell the government $80 billion in hardware and software each year to bake in a certain level of security — a potentially expensive prospect.
Senate Majority Harry Reid has put the measure on his list of top-priority bills to get through the Senate this year, the sources said.
The bill is a priority because leaps in technology have increased industrial productivity, but also left businesses and the U.S. government vulnerable to foreign spies, such as the 2008 breach of U.S. military computers using a single compromised thumb drive and identity thieves who have stolen untold numbers of consumer credit card numbers.
Previous congressional efforts to address these threats have run into roadblocks from high tech and telecommunications companies. They staunchly oppose any mandates — such as certification of cybersecurity professionals or requiring portions of the network to be shut down to mitigate a threat.
“I don’t think it’s going to happen,” Marcus Sachs, a cyber policy expert with Verizon Communications Inc, told Reuters, about the prospects for legislation this year.
The bill is based largely on a measure that Senators Joseph Lieberman, Susan Collins and Thomas Carper wrote and a second drawn up by Senators John Rockefeller and Olympia Snowe.
The 200-plus page draft, which has not yet been released, is largely completed, although sticking points remain, according to a Senate aide familiar with the bill.
“There’s now a single unified bill. It is on Reid’s short list,” said a second Senate aide.
The goal would be to get the bill to the White House before the end of the year.
But, warned a third congressional source: “It’s a difficult environment to move any legislation.”
Among the lingering questions is how much government can intervene into the private sector if there is an imminent cybersecurity concern.
In the working draft, critical infrastructure such as financial networks, electrical providers and the petroleum industry would be alerted if the federal government learns of a threat and told how best to protect themselves. For example, they may be told to block all Internet traffic from China or Romania.
But companies have expressed fear there could be delays in responding if the government was involved tackling a threat.
“Attacks happen in milliseconds,” said Sachs. “If you (the government) want to get involved, don’t slow us down.”
There are also compromises in the draft bill.
For example, tech companies had opposed requiring certification for cybersecurity professionals, which was in an earlier cybersecurity bill and the current draft language recommends studying how best to require certification in the future.
“It is difficult at this time to require any type of certification,” said the first Senate aide.
In addition, the Department of Homeland Security would have an even bigger role in cybersecurity.
“DHS will get expanded authorities. I think that’s clear,” said James Lewis, a cybersecurity expert with think tank Center for Strategic and International Studies.
The bill could come up in the next four weeks, or it could be much later, aides said.
“I know that Sen. Reid’s office has been extremely engaged on it,” said the first Senate aide. “Everybody would like to see this done yesterday.”