Senate Poised to Act on Cyber Security Information Sharing

It appears that the Senate leadership may have come to agreement on an approach to share cybersecurity information and best practices — without requiring regulatory actions. On July 23rd, Senator Joseph Lieberman (I-CT) introduced S 3414, the Cybersecurity Act of 2012, known as ‘CSA2012.’ This compromise measure would replace Lieberman’s earlier S. 2105 that included mandatory cybersecurity standards and required DHS to assess cyber risks for critical infrastructures and the loosely constructed voluntary approach included in Senator John McCain’s SECURE IT Act (S 2151/3342). CSA2012 has moved directly to the Senate calendar for Floor consideration in the next several days.

Although legislative text is not available as of this writing, ASDWA has learned that the seven title, 200+ pages of legislative language calls for the establishment of a new National Cybersecurity Council. Made up of presidential appointees from the Departments of Commerce, Defense, and Justice, the intelligence community, sector-specific Federal agencies, and Federal agencies with responsibility for regulating the security of critical cyber infrastructure, the Council is tasked to:

1. Conduct sector-by-sector risk assessments in partnership with owners and operators, private sector entities, relevant Federal agencies, and appropriate nongovernmental entities and institutions of higher education;
2. Identify categories of critical cyber infrastructure;
3. Coordinate adoption of private sector voluntary outcome-based cybersecurity practices with owners and operators, private sector entities, relevant Federal agencies, and appropriate nongovernmental entities and institutions of higher education, and the Critical Infrastructure Partnership Advisory Council; and
4. Establish an incentives-based voluntary cybersecurity program to encourage adoption of the voluntary outcome-based cybersecurity practices.

Within 180 days of enactment, each sector coordinating council shall propose voluntary outcome-based cybersecurity practices sufficient to effectively remediate or mitigate cyber risks identified through an assessment. Within one year, the Council shall adopt any cyber practice that adequately remediates or mitigates identified cyber risks and associated consequences identified. Sector coordinating councils shall periodically (not less than every 3 years) assess cyber practices to ensure continued adequate remediation and mitigation of risk. Further, the Council shall develop, in coordination with certified owners, a procedure for ensuring that certified owners are, to the maximum extent practicable and consistent with the protection of sources and methods, informed of relevant real-time cyber threat information.

Under a separate title, the measure calls for the Secretary of Homeland Security, in consultation with the Director of National Intelligence, the Attorney General, and the Secretary of Defense, to establish a cybersecurity exchange to receive and distribute, in as close to real time as possible, cybersecurity threat indicators and to thereby avoid unnecessary and duplicative Federal bureaucracy for information sharing. The cybersecurity exchange creates:

1. a process for designating one or more appropriate civilian Federal entities or non-Federal entities to serve as cybersecurity exchanges to receive and distribute cybersecurity threat indicators;
2. procedures to facilitate and ensure the sharing of classified and unclassified cybersecurity threat indicators in as close to real time as possible with appropriate Federal entities and non-Federal entities; and
3. a process for identifying certified entities to receive classified cybersecurity threat indicators.

Presuming that the Senate will vote in favor of the cybersecurity compromise, the next step would be to bring the issue to a House-Senate conference and resolve the differences between this Senate measure and earlier passed House cybersecurity legislation – HR 2096 – the Cybersecurity Enhancement Act.