U.S. companies operating critical infrastructure will be forced to better defend their networks against cyber attacks, and to collect and share data crossing their network with federal authorities, if the bipartisan Cybersecurity Act of 2012 introduced this week becomes law.
The proposed bill is designed to streamline data security processes and improve the ability for companies to share information about data threats within their industries. But public interest organizations want to ensure the legislation limits the amount of personal data to which the government will gain access.
The measure -- introduced by Sens. John "Jay" Rockefeller IV, D-W.Va., Joe Lieberman, I-Conn., Susan Collins, R-Maine, and Dianne Feinstein, D-Calif. -- faced its first hearings in the Senate Commerce Committee on Thursday. It places the Department of Homeland Security at the forefront to assess the risks and vulnerabilities of critical infrastructure, such as the electric and nuclear power grid, water systems, and telephone and data communications systems, where a successful attack could have a massive public impact.
After several botched attempts at passing cyber security-related legislation, lawmakers are playing it safe this time around. The measure would stop short of giving the president "kill-switch" powers to limit or shut down web traffic in the event of an emergency, as a previous version had. In addition, the news release announcing the bill stated that it "in no way resembles" the controversial Stop Online Piracy Act (SOPA), which is now off the table following an unprecedented public backlash.
In addition, companies covered by the critical infrastructure designation in the Cybersecurity Act of 2012 would have the ability to implement their own cyber security technology -- the bill prohibits the government from regulating the design or technology used. The measure also would redefine some roles of federal agencies and amends some Federal Information Security Management Act (FISMA) regulations from being compliance-focused to security-focused.
The legislation, three years in the making, follows a plethora of cybersecurity bills introduced in the past year. The introduction of the bill follows within days of an exchange of letters between the U.S. Chamber of Commerce Executive Vice President R. Bruce Josten and Senate Majority Leader Harry Reid, D-Nev.
“Rushing forward with legislation that has not been fully vetted would be a major mistake," Josten wrote. “Since 2009, the chamber has consistently said that it will support legislation that is carefully crafted and narrowly tailored toward effectively addressing the complex cyber challenges that businesses are experiencing. However, the chamber strongly opposes new regulations and compliance mandates that would drive up costs and misallocate business resources without necessarily increasing security.”
In his reply, Reid said, “Malicious cyber activity poses one of the most profound threats to our nation; yet, our government currently lacks a framework with which to confront this threat. To put it candidly, we are playing catch-up in an increasingly costly -- and potentially deadly -- game.”
The chamber isn't the only organization with concerns about the legislation.
Lee Tien, a senior staff attorney with the San Francisco-based nonprofit digital rights group Electronic Freedom Foundation, said the bill would not only exempt companies from existing privacy laws, but also bar the public, including watchdog organizations and academics, from obtaining information collected under the law through the Freedom of Information Act.
The bill calls for organizations in the private and public sector to share data about cyber threats, including personal data. However, Tien said the way the law is written, the government can gain access to data it otherwise would not have, even if the companies involved did not want to share that information.
Gregory Nojeim, senior counsel and director of the Project on Freedom, Security & Technology at the Center for Democracy & Technology, sees the problem differently.
He said the most significant innovation in this legislation, as compared to a proposed law from the House Intelligence Committee, is the care with which it describes the threat information that the private sector can share with the government.
However, there could be unintended consequences.
“The bill permits the government to use the threat information shared with it to prosecute any crime,” Nojeim said. “To ensure that the legislation doesn't amount to a new surveillance program, the bill should require that information shared with the government for cyber security purposes is used only for cyber security.
"The bill doesn't specify the lead federal agency for cyber security information sharing, opening the possibility that an element of Department of Defense would assume that role," he added. "This could mark a dramatic shift in cyber security policy for the civilian sector from civilian to military control.”Ben Ramirez, a security analyst at Frost and Sullivan, said the real value added to national infrastructure assets will be requiring the protection of supervisory control and data acquisition (SCADA) systems, such as electric and financial systems, which are primary targets to disabling the critical infrastructure.
“I believe the one major area of concern that is missing is accountability," he said. "The Senate has given full control to DHS to oversee this policy, and I believe the government needs to expand these duties to other agencies such as the National Security Agency or Defense Department. Cyber threats can come from anywhere around the world, and DHS would be overwhelmed with internal and external cyber attacks at the same time.”
The bill, as with all cyber security legislation, faces an uphill climb. On Thursday, Sen. John McCain announced the the Senate Republicans would next week introduce their own version of the proposal.