After years of discussion and several false starts, 2012 is shaping up to be the year that national cybersecurity legislation may become a reality in the U.S. Several recent proposals from the White House and both houses of Congress have revealed a sense of urgency and strong bipartisan support for strengthening the nation’s private and public infrastructure from cyber attack. The parameters of any final legislation, however, remain very much in debate. Proposals have ranged from bills designed simply to facilitate the sharing of cyber-threat information between the private and public sectors to comprehensive schemes granting the executive branch broad powers to declare a national cyber emergency and to compel private companies to implement a response plan. To further complicate matters, in both the Senate and House, numerous committees and subcommittees claim some jurisdiction over cybersecurity.
When the president released his Cyberspace Policy Review almost two years ago, he declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” Members of both parties have also recognized this challenge—approximately 50 cyber-related bills were introduced in the last session of Congress.
Given the rapid pace of recent developments and the potential impact of federal legislation in this area, it is important for companies in critical sectors—such as telecommunications, defense, energy, transportation and information technology—to monitor these developments closely and consider getting involved in the policy discussions.
Bipartisan momentum for cybersecurity legislation is building
In the White House, President Barack Obama has identified cybersecurity as one of the most serious economic and security challenges facing the nation today. In his recent State of the Union Address, the president highlighted the growing dangers of cyber threats and called on Congress to act on proposed legislation submitted by the White House last May. On February 1, the administration held a classified briefing with Senate leaders to stress the urgent need for legislative action.
In the Senate, several cybersecurity bills have been introduced. Senate Majority Leader Harry Reid (D-NV) has said that he considers cybersecurity a top priority. Last year, Reid and Minority Leader Mitch McConnell (R-KY) took the unusual step of exchanging public letters on the subject and formed a bipartisan cybersecurity working group in an attempt to overcome the committee turf battles that have plagued earlier efforts.
Meanwhile, the Cybersecurity and Internet Freedom Act (CIFA-S 413), sponsored by Sens. Joe Lieberman (I-CT), Susan Collins (R-ME) and Thomas Carper (D-DE), gained a good deal of attention in 2011. It has been replaced by a new bill, S 2105, resulting from the joint efforts of several committees—Homeland Security and Government Affairs, Commerce and the Select Committee on Intelligence.
Just this month, a group of bipartisan senators introduced a pre-publication version of S 2105, the Cybersecurity Act of 2012. This bill is an attempt to bring together CIFA (S 413) and other Senate bills, such as one introduced by Chairman Jay Rockefeller (D-WV). S 2105 calls for the Department of Homeland Security (DHS) to assess risks and vulnerabilities of computer systems running at critical infrastructure sites and to work with the operators of such systems to develop security standards.
Under S 2105, the DHS would determine which systems fit the definition of “critical infrastructure,” namely those “whose disruption from a cyber attack would cause mass death, evacuation or major damage to the economy, national security or daily life.” Companies would have the right to appeal the designation. Owners or operators of critical infrastructure systems would be able to determine how to best meet performance requirements and would either "self-certify" compliance or use a third-party assessor for certification.
The bill also contains provisions for information sharing between the government and the private sector, and it would reform the Federal Information Security Management Act (FISMA). FISMA would “focus on continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting.” The DHS would consolidate its cybersecurity programs into a National Center for Cybersecurity and Communications office.
Sen. Dianne Feinstein (D-CA) introduced separate legislation this month. The Cybersecurity Information Sharing Act of 2012 (S 2102) would have required the federal government to designate a single focal point for cybersecurity information sharing. This bill was later incorporated into S 2105 as Title VII of that bill, so S 2102 is unlikely to be acted upon separately unless S 2105 is defeated or substantially amended.
S 2102—and now Title VII—would create “cyber exchanges” (CEs). CEs are organizations established “to efficiently receive and distribute cybersecurity threat indicators.” The DHS Secretary would be required to establish, by regulation, at least one governmental CE as the lead CE. It would act as “the focal point within the federal government for cybersecurity information sharing among federal entities and with non-federal entities.”
Title VII also affirmatively provides private-sector companies the authority to monitor and protect the information on their own computer networks and encourages information sharing about cyber threats within the private sector by providing a good faith defense against lawsuits. It establishes procedures for the government to share classified cybersecurity threat information with companies that can effectively use and protect that information. The DHS secretary, in consultation with privacy and civil liberties experts, would have to develop policies for the receipt, retention, use and disclosure of cybersecurity threat information by federal entities to minimize the impact on privacy and civil liberties and to safeguard personal information.
In the House of Representatives, Republican leadership formed a Cybersecurity Taskforce in June of 2011. The taskforce was asked to make recommendations to House Republican leadership on four issues: critical infrastructure and incentives; information sharing and public-private partnerships; updating existing cybersecurity laws, and legal authorities. In October, the taskforce unveiled its recommendations in a report to House leadership.
Meanwhile, two cybersecurity bills are rapidly making their way through the House of Representatives. The Cyber Intelligence Sharing and Protection Act (CISPA-HR 3523) was introduced on November 30 and garnered over 50 cosponsors and 20 letters of support from industry leaders. CISPA was marked up and approved by the House Intelligence Committee by a commanding vote of 17-1. The next step for the bill is the House floor.
On December 15, Rep. Dan Lungren (R-CA) introduced the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (PrECISE-HR 3674). It was marked up and unanimously passed on February 1 by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. The bill, discussed in more detail below, will now be sent to the full committee.
The shape of final legislation is uncertain
Although there is broad consensus that cybersecurity legislation is needed, there are obviously many emerging proposals, and much has yet to be decided.
The House Intelligence Committee’s CISPA bill and Sen. Feinstein’s Cybersecurity Information Sharing Act appear to be the least controversial and least ambitious of the legislative proposals. The primary purpose of these bills is to facilitate the confidential sharing of cyber-threat information between the federal government and the private sector by various means. They authorize and expedite security clearances for qualified private-sector entities, protect private disclosures from Freedom of Information Act requests, restrict the government’s use of information received from the private sector and limit liability for entities’ sharing and use of cyber-threat information.
Like the CISPA, the House Homeland Security Committee’s PrECISE Act would facilitate the confidential sharing of cyber-threat information between the public and private sectors. It calls for the creation of a nonprofit organization called the National Information Sharing Organization (NISO)—with a majority private-sector board—to serve as a secure, confidential clearinghouse for the exchange of cyber-threat information between public and private entities. The PrECISE Act goes further than the CISPA, however, by empowering the DHS to conduct risk assessments and collect existing security standards to evaluate the best methods to mitigate risks. Notably, it is intended to create as little new regulation as possible, instead requiring regulators to assess current critical infrastructure protection regulations against DHS-identified risks. Gaps would be identified and redundancies eliminated.
In the Senate, last year’s CIFA legislation weighed in at more than 200 pages. Its successor, S 2105, is equally comprehensive. Much like the PrECISE Act, it would give the DHS power to conduct risk assessments and determine cybersecurity performance requirements but only for critical systems that are not already appropriately secured. Owners of “covered critical infrastructure” would have flexibility in meeting performance requirements as they deem fit.
Although Majority Leader Reid wants quick floor action on S 2105, a group of top Republicans, including Minority Leader Mitch McConnell and Sen. John McCain (R-AZ), have expressed concern that the measure is being rushed. They have stated that the bill “does not satisfy our substantive concerns, nor does it satisfy our process concerns.” Given the numerous legislative proposals under consideration—with more on the way—and the continuing jurisdictional debates, it is unlikely that any cybersecurity legislation will make headway in the near future. Nevertheless, there is clear bipartisan recognition that something needs to be done quickly to protect this country’s critical infrastructure.