Senate Commerce Committee leaders have circulated a cybersecurity
bill draft that directs the National Institute of Standards and Technology to
develop voluntary standards for cybersecurity best practices, as well as
boosting cybersecurity research and training and cyberthreat education.
The bill is a coproduction of Committee chairman Jay
Rockefeller (D- W. Va.) and ranking member John Thune (R-S.D.) as they attempt
to find common ground and pass legislation to address what both Republicans and
Democrats agree is a real and growing threat of cyberattacks from hackers,
nation states and organized (and unorganized) crime.
The bill does not deal with the issue of industry sharing of
cybersecurity information with government, though Rockefeller supports efforts
at info sharing bills. He was cosponsor of cybersecurity legislation that
failed to pass in the last Congress.
President Obama mandated the creation of those voluntary
an executive order earlier this year, but Rockefeller is said to believe
legislation is needed to back up that order, which the president also suggested
would be a needed backstop (given that the order has an expiration date).
According to copy of the draft obtained by B&C, it would require that the
- "Must be voluntary;
- "Must be developed in close and continuous coordination with industry;
- "Must not conflict with or duplicate existing regulatory requirements;
- "Must incorporate voluntary consensus standards and industry best practices and
align with voluntary international standards; and
- "Must be technology neutral."
According to a committee source, the bill stems from a
directive from Senate Majority Leader Harry Reid (D-Nev.) to committee chairs
with jurisdiction over the issue to draft bills to strengthen threat
Rockefeller is said to believe that the
provisions in this bill are key to forming a combined public-private front to
repel threats into the future. In addition to the best practices, that includes
the federal government "supporting cutting edge research, increas[ing]
public awareness, and improv[ing] our workforce to better address cyber