Introducted Tuesday, the Cybersecurity Act of 2012 would direct the Department of Homeland Security to work in concert with industry members and relevant government agencies to conduct a series of risk assessments and determine which private-sector firms would be deemed to operate “covered critical infrastructure,” a crucial designation that would determine whether a private-sector entity could be subjected to new regulatory oversight.
The bill lays out a set of broad guidelines for DHS to use in its evaluations. A covered critical infrastructure provider would be an entity on which a cyber attack could result in “the interruption of life-sustaining services” such as energy or transportation that could cause massive casualties or widespread evacuations, or cause “catastrophic economic damage to the United States” or “severe degradation of national security or national security capabilities.” Avoiding ‘Cyber 911’
Sen. Joe Lieberman (Independent-Conn.), one of the bill’s sponsors, took to the Senate floor to make an urgent case that a comprehensive overhaul of the nation’s cybersecurity regime is needed to avert a “cyber 9/11.”
“The aim of this bill is to make sure that we don’t scramble here in Congress after such an attack to do what we can and should do today,” said Lieberman, who chairs the Homeland Security and Governmental Affairs Committee. “The fact is that our cyber defenses are not what they should be, but such as they are, they are blinking red.”
Joining Lieberman as original sponsors of the bill were Susan Collins (Maine), the ranking Republican on the homeland security panel, Commerce Committee Chairman John Rockefeller (D-W.V.) and Dianne Feinstein (D-Calif.), who chairs the Select Committee on Intelligence.
The bill is the product of some three years of active work to draft legislation that achieve an update and expansion of federal regulatory authorities to deal with the modern threat landscape and the increasing digitization of vital systems, such as the electrical grid and financial services, without overreaching and saddling private operators with a burdensome compliance mandate.
It hasn’t been an easy balance to strike. Various legislative proposals have drawn sharp criticism from industry groups for the new regulations they would create and digital rights groups for potential privacy intrusions, while the now-discarded idea of giving the president expanded authorities to shut down networked systems in the event of a major cyber attack proved a lightning rod for criticism. That so-called “kill switch” provision was interpreted by opponents to mean that the president would have the unchecked authority to shut down the Internet after declaring a state of cyber emergency. Lieberman sought to defuse that charge as he introduced the new legislation.
“There is nothing remotely like that in this bill,” he said in the Senate.
The Homeland Security and Governmental Affairs Committee has scheduled a hearing to consider the bill on Thursday. Rockefeller and Homeland Security Director Janet Napolitano are both scheduled to testify. Their testimony will be followed by a panel of witnesses that includes Scott Charney, corporate vice president of Microsoft Corp.’s Trustworthy Computing Group, and former DHS Secretary Tom Ridge, who now chairs a national security task force for the U.S. Chamber of Commerce, which has criticized certain provisions of the proposed legislation.
Adam Jentleson, a spokesman for Majority Leader Harry Reid, confirmed that Reid intends to bring the measure to the Senate floor in the next working period, but that he couldn’t narrow the time frame further. “It’s still being worked out,” he said.
Advocates of expanded federal cyber authorities cite estimates that between 80 and 90 per cent of the nation’s critical infrastructure is owned and operated by the private sector, where early reaction to the bill was mixed.
“Our view is there is a genuine threat out there. There is a need to take action. There’s a powerful need for the private sector and the public sector to collaborate,” said Tom Gann, vice-president of government relations for security software vendor McAfee Inc.
But McAfee remains skeptical about expanded regulatory oversight. A company executive recently testified before a House subcommittee on the cybersecurity threat and the appropriate policy response, telling lawmakers that positive incentives such as tax credits and liability protections are generally superior to punitive measures such as penalties for failing to comply with a new set of regulations.
“A big question still to be worked out is the degree to which DHS goes beyond information sharing, sharing best practices … to actually regulating,” Gann said in an interview. “No one argues that more security doesn’t make sense,” he said, but that the important matter is “a question of how it’s incentivized.”
Gann, who acknowledged that he and his policy team were still reviewing the lengthy bill, did not contend that DHS should not have any role in facilitating stronger security of private networks, but rather argued that, as a general principle, regulations are not reliable catalysts for stronger security. As a matter of political pragmatism, he suggested that lawmakers focus their energies on the proposals in the new bill that enjoy stronger bipartisan support, such as the information sharing provisions and measures to shore up government systems, particularly in a highly politicized session working under an election-shortened legislative calendar.
Defining Department of Homeland Security’s Reach
But the bill’s authors are familiar with the charges of regulatory overreach. The legislation introduced on Tuesday has a measure of flexibility meant to ease the burden for covered businesses, such as the provision that DHS would not have jurisdiction over entities operating in a sector that is already regulated by a separate federal authority. Covered critical infrastructure operators would submit their own cybersecurity performance requirements to DHS, which the secretary could then overrule if they were not deemed strong enough, but operators that demonstrate that they already have sufficient defenses in place could win an exemption from the performance requirements entirely.
“The risk-based performance requirements in the bill are targeted carefully,” Collins said in her remarks Tuesday on the Senate floor. “Moreover, the owners of critical infrastructure — not the government — would select and implement the cybersecurity measures the owners determine to be best suited to satisfy the risk-based cybersecurity performance requirements.”
If a private-sector entity feels that it has wrongly been deemed as a provider of critical infrastructure under the definition of the law, it would be to appeal that designation either with the DHS itself or in federal court.
Additionally, in its analysis, DHS would not be making pronouncements on individual products or technologies, but rather be directed to anchor its oversight in the risk assessments.
Many private-sector organizations might object to the expanded profile for DHS provided in the bill, but Guy Churchward, the chief executive of LogLogic, an IT firm that helps businesses with compliance, log management and security events, argues that industry practices are still not consistently secure, and that there is an appropriate role for the government to play, so long as it narrowly focuses on risk, rather than compliance.
“While it might seem ‘big brother-ish’ to have the government create regulations for private infrastructure, we do need some intervention to strengthen the security posture of U.S. companies,” Churchward wrote in an email. “DHS can certainly drive the guidelines, but it’s also very important to provide the right type of help to companies to secure their infrastructure. We don’t need one more check-box type of regulation with unclear guidelines and more bureaucracy, followed by tactical purchasing of mediocre check-box products leaving yet more holes.”
In addition to the DHS language, which will likely garner the greatest opposition, the new bill contains a number of provisions to encourage companies and government agencies to share information about potential threats and attacks, including a liability shield to protect companies that participate in the so-called cyber exchanges from litigation.
The bill would also establish a system for authorizing private-sector entities to receive classified information about cyber threats from government authorities, seeking to address the perception that information sharing between industry and government is too often a one-way street.
McAfee’s Gann said that he is encouraged by the emergence of new technologies that have enabled government agencies and others to share pertinent threat data while scrubbing information about its source and the method by which it was acquired, a development that, coupled with new legislation, could help thaw the culture of secrecy at the agencies on the front lines of cybersecurity.
“I think the technology is maturing, and as the legal regime matures hopefully both can intersect,” he said.
Additionally, the Cybersecurity Act would entail a number of reforms to the Federal Information Security Management Act, the statute mandating the security standards for government IT systems that many observers say has fallen severely out of date. In amending the FISMA process, the bill would require the federal government to develop a new risk-based method of evaluation within its procurement process.
Other provisions of the legislation would seek to expand the number of qualified cybersecurity workers and boost the research and development of security technologies.