But, the EFF said the measure in its current form contains broad language around the ability for companies to use security as a reason to partake in "nearly unlimited" data monitoring of users. The EFF said it wants the legislation to be more specific in certain areas.
In summary, the Cyber Security Act of 2012, which may be taken up as early as this week, would:
- Establish a multi-agency council National Cybersecurity Council -- chaired by the Secretary of Homeland Security -- to lead cybersecurity efforts, including assessing the risks and vulnerabilities of critical infrastructure systems.
- Allow private industry groups to develop and recommend to the council voluntary cyber security practices to mitigate identified cyber risks. The standards would be reviewed and approved, modified or supplemented as necessary by the council to address the risks.
- Allow owners of critical infrastructure to participate in a voluntary cyber security program. Owners could join the program by showing either through self-certification or a third-party assessment that they are meeting the voluntary cyber security practices. Owners who join the program would be eligible for benefits including liability protections, expedited security clearances, and priority assistance on cyber issues.
- Create no new regulators and provides no new authority for an agency to adopt standards that are not otherwise authorized by law. Current industry regulators would continue to oversee their industry sectors.
- Permit information-sharing among the private sector and the federal government to share threats, incidents, best practices, and fixes, while preserving the civil liberties and privacy of users.
- Require designated critical infrastructure -those systems which if attacked could cause catastrophic consequences -- to report significant cyber incidents.
- Require the government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.
President Obama is encouraging Congress to pass the proposed bill, according to an op-ed that appeared in Friday's The Wall Street Journal.
"We need to make it easier for the government to share threat information so critical infrastructure companies are better prepared," Obama wrote. "We need to make it easier for these companies -- with reasonable liability protection -- to share data and information with government when they're attacked. And we need to make it easier for government, if asked, to help these companies prevent and recover from attacks."