A Senate cybersecurity bill which has been on hold for months, has now been given a new lease on life as a result of provisions that both soften its impact on private industry, and strengthen civil liberties protections for citizens.
The Senators who co-sponsored the revised bill said they did so in a “good faith effort to secure enough votes to address the immediate threat of attack from foreign nations, hacktivists, criminals, and terrorists against the nation’s most critical cyber systems.”
While acknowledging that the bill was actually stronger as originally proposed; Senate Homeland Security Chairman, Joe Lieberman (I-Conn), said in an US Senate press release: “This compromise bill will depend on incentives rather than mandatory regulations to strengthen America’s cybersecurity. If that doesn’t work, a future Congress will undoubtedly come back and adopt a more coercive system.”
Here is what The revised Cybersecurity Act of 2012 would do:
- Establish a multi-agency council National Cybersecurity Council – chaired by the Secretary of Homeland Security – to lead cybersecurity efforts, including assessing the risks and vulnerabilities of critical infrastructure systems.
- Allow private industry groups to develop and recommend to the council voluntary cybersecurity practices to mitigate identified cyber risks. The standards would be reviewed and approved, modified or supplemented as necessary by the council to address the risks.
- Allow owners of critical infrastructure to participate in a voluntary cybersecurity program. Owners could join the program by showing either through self-certification or a third-party assessment that they are meeting the voluntary cybersecurity practices. Owners who join the program would be eligible for benefits including liability protections, expedited security clearances, and priority assistance on cyber issues.
- Creates no new regulators and provides no new authority for an agency to adopt standards that are not otherwise authorized by law. Current industry regulators would continue to oversee their industry sectors.
- Permit information-sharing among the private sector and the federal government to share threats, incidents, best practices, and fixes, while preserving the civil liberties and privacy of users.
- Require designated critical infrastructure–those systems which if attacked could cause catastrophic consequences –to report significant cyber incidents.
- Require the government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.
With regard to civil liberties; organizations such as the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) are applauding the revisions, while remaining cautious that what they see as improvements in the bill’s language could change before it becomes law.
Debate is reportedly expected to begin on the measure sometime next week, though the Senate calendar of upcoming hearings does not yet list an exact date.
A blog post on the EFF website outlines what parts of the bill they see as an improvement over previous versions:
• Ensure that companies who share cybersecurity information with the government give it directly to civilian agencies, and not to military agencies like the National Security Agency. The single most important limitation on domestic cybersecurity programs is that they are civilian-run and do not turn the military loose on Americans and the internet.
• Ensure that information shared under the program be “reasonably necessary” to describe a cybersecurity threat.
• Restrict the government’s use of information it receives under the cyber info sharing authority so that it can be used only for actual cybersecurity purposes and to prosecute cyber crimes, protect people from imminent threat of death or physical harm, or protect children from serious threats.
• Require annual reports from the Justice Department, Homeland Security, Defense and Intelligence Community Inspectors General that describe what information is received, who gets it, and what is done with it.
• Allow individuals to sue the government if it intentionally or willfully violates the law.
ACLU Legislative Counsel, Michelle Richardson notes in a blog post: “…it looks like the Senate is moving to pass something much better than CISPA from a privacy standpoint. Not all of the problems with the Cybersecurity Act are solved yet, and you better believe that amendments to strip the privacy protections are in the mix.”
CISPA, the Cyber Intelligence Sharing and Protection Act, the US House of Representatives bill that was passed despite civil liberties objections, back in April. But, because the Senate had not taken up its version of the measure; nothing further has been done to move forward on new comprehensive cybersecurity legislation.
Now that the Senate is going to debate their version of the bill; the issue is back on the front burner.
According to Lieberman, “This legislation is urgently needed to address the clear, present, and growing danger of cyber attacks against our most critical systems.”
One of the bill’s co-sponsors, Senator Susan Collins (R-Maine), added “Experts have repeatedly warned that the computer systems that run our critical infrastructure – our electric grid, water systems, financial networks, and transportation systems – are vulnerable to a major cyber attack. A cyber attack is a threat not just to our national security, but also to our economic edge and way of life.”