Cybersecurity Bill Moves Directly to Senate Floor

On February 14, Senator Joseph Lieberman (I-CT) and several colleagues including Senator Susan Collins (R-ME), introduced S 2105 the Cybersecurity Act of 2012. The bill bypassed the traditional Committee process and was moved directly to the Senate Floor on February 15 where it awaits consideration.

The measure offers a comprehensive approach to strengthening cybersecurity on a national basis. It would give DHS the authority to set security standards for the computers housed/owned/operated at defined critical infrastructures and then allow the companies to choose how to meet those standards. If a company achieves the designated standard but suffers a subsequent cyber attack, it would be declared immune from punitive damages

The bill calls for DHS to consult with major security partners to conduct a “top level assessment of the cybersecurity threats, vulnerabilities, risks, and probability of a catastrophic incident across all critical infrastructures to determine which sectors pose the greatest immediate risk, in order to guide the allocation of resources…” As well, this group – with the addition of state and local governments – shall establish a sector-by-sector procedure to designate critical “covered” infrastructure. This comes with a caveat that a defined system or asset can be designated as a ‘covered critical infrastructure’ if damage or unauthorized access could result in “the interruption of life-sustaining services, including energy, water, transportation, emergency services, or food…”

Once such systems or assets are identified, they will be subject to risk-based cybersecurity performance requirements that call for owners to remediate or mitigate identified cyber risks and associated consequences. Owners/operators, state and local governments, and the private sector shall identify existing industry practices, standards, and guidelines and select and adopt appropriate requirements for the sector. If DHS determines that submitted performance requirements are inadequate, they will develop satisfactory requirements. Such analyses and requirements shall result in promulgation of regulations within one year of enactment. The regulations establish procedures that require owners to annually certify that they have developed and implemented security measures that meet defined risk based requirements. There are also provisions for third-party assessments of cybersecurity efforts. DHS may also perform cybersecurity assessments of selected covered critical infrastructure based on the specific cyber risks affecting that system or asset or knowledge that the owner is not complying with the performance requirements.

On February 16, Senator John McCain (R-AZ) announced plans to draft a different cybersecurity bill that would be voluntary rather than propose prescriptive Federal standards. As well, there are some cybersecurity experts who say that the original Cybersecurity Act does not go far enough.

Final text of the bill is not yet available; however, if you would like to review the pre-publication draft, please go to www,Thomas.loc.gov and enter “S 2105” in the search box.