Just two days after introducing the controversial Cybersecurity Act of 2012, Senate lawmakers on Thursday plan to hold a hearing on the legislation, raising concerns that what some are calling a flawed piece of legislation may be on the fast-track for approval by the end of March.
The bill would grant the Department of Homeland Security vast new regulatory authorities over select portions of the nation’s critical infrastructure – everything from the national electric grid to transportation, water and financial services, among others.
It would also require significant investments by the private sector owners and operators of these critical systems to demonstrate and certify on an annual basis that they have taken the appropriate security measures as determined by risk-based cybersecurity performance requirements developed by a hodgepodge of federal and state agencies with input from the private sector.
The proposal, submitted by Senators Joseph Lieberman (I-CT), Susan Collins (R- ME), John Rockefeller (D-WV) and Diane Feinstein (D- CA), omits a controversial provision known as an Internet “kill switch” that would give the president the power to shut down online traffic by seizing private networks.
Among those scheduled to testify on Thursday are Secretary of Homeland Security Janet Napolitano and Tom Ridge, the nation’s first DHS Secretary, who currently leads the national security task force at the U.S. Chamber of Commerce. Ridge is expected to take issue with the overly broad regulatory nature of the legislation, something that the Chamber and other industry associations have done consistently.
Bobby Maldanado, a spokesman for the U.S. Chamber of Commerce, said Ridge’s testimony will echo the Chamber’s January 30 letter to Senate Majority Leader Harry Reid and Minority Leader Sen. Mitch McConnell.
“The Chamber is not supportive of a core component of the new bill — a regulatory “covered” critical infrastructure (CCI) program,” said Maldanado. “Instead, we believe that Congress should continue to develop information-sharing legislation that will produce more immediate improvements to American’s security and that has robust protections for the business community.”
Ken Wasch, president of the Software & Information Industry Association (SIIA), said in a statement issued after the bill was introduced that “cybersecurity legislation could potentially do more harm than good if not done carefully. A regulatory approach would not necessarily make organizations more secure, just more compliant.”
That’s exactly where the language of the proposed legislation raises serious questions for many observers.
In addition to requiring annual third-party assessments, the bill would also allow critical infrastructure operators to “select any security measures that satisfy the risk-based security performance requirements.”
If they’re not sure what measures will put them in compliance, they can simply ask the DHS to “recommend a specific security measure” that it believes is sufficient based on the risk.
“I don’t like that part of it,” said Steve Vinsik, vice president and partner, Global Security Solutions for Unisys Corporation.
“Standardization with industry input is one thing. But if it ends up in the hands of DHS and they get to decide what’s good or not I think that’s overreaching.”
The bill’s focus on compliance rather than effective security will inevitably lead to “a lot of finger pointing” when a cyber attack does occur, added Vinsik.
Jerry Irvine, CIO of Prescient Solutions and a member of the National Cyber Security Task Force, said he’s concerned that the finger pointing may all be in the direction of the private sector. He points to multiple recent hacking cases involving breaches of federal networks, including the CIA and the U.S. Census Bureau, where the agencies in question were not obliged to report or disclose the incident – as would be required of critical infrastructure operators under the new cybersecurity law.
“The only reason we know about those incidents is because the hackers posted the information on the Internet,” said Irvine. “If you want companies to buy in, require the federal government to have to go along with it too. There has to be some kind of agreement to hold companies harmless until they are compliant,” he said. “But there are just so many different rules, it’s crazy. Adding more is becoming excessively burdensome.”
Mark Heilbrun, a partner in the Washington, D.C., law firm of Edwards Wildman Palmer LLP, served on the National Security Council and as staff director for the Senate Judiciary Committee. He doesn’t see the bill as a rush to compliance.
“We’re going to have to get there sooner or later. I think it’s very narrow in its approach to who it would apply to,” he said. “In a sense this goes back to first principles. This was the underlying reason for the creation of the DHS. The general momentum has called for more oversight from some central entity. I know it is causing people concern about being overly bureaucratic. But I don’t think any of these bills are going to stay the way they are.”
Unisys’ Vinsik agrees that there will be opposition to this bill. “There are some good points, but I don’t want to give the government control that they really shouldn’t have over private industry,” he said. “I wouldn’t be surprised if this gets pulled down again.”
A source with close ties to the ongoing legislative process on Capitol Hill, who spoke on condition of anonymity, said the Senate Homeland Security and Governmental Affairs, chaired by Sen. Joseph Lieberman (I-CT), seems to have “stacked the deck” of Thursday’s hearing in an effort to push the bill forward. “Ridge is the only one on the panel who will talk common sense.”
Cybersecurity Act of 2012
- Gives DHS authority to designate “covered” critical infrastructure.
- Allows private sector to challenge designation or self-designate.
- Requires critical infrastructures to report on and certify security protections annually.
- Requires a third-party assessment of security performance requirements.
- Requires critical infrastructure operators to report significant cybersecurity incidents.
- Provides liability coverage to those infrastructure operators who are in “substantial compliance” with performance requirements.
- Requires DHS to develop threat, risk and information sharing mechanisms (cybersecurity exchanges) with private critical infrastructure owners.
- Protects information shared with the government from disclosure.
- Provides the President with authority to exempt critical infrastructure sectors if he/she believes sufficient regulations already exist.
- Prohibits regulating the design, development and manufacture of commercial IT products.
- Reforms FISMA by granting DHS authority to oversee civilian agency information security.
- Gives DHS authority to issue risk mitigation directives to agencies.
- Moves to continuous monitoring and risk assessment.
- DHS Secretary can take action against imminent threats to agency networks without prior notification to affected agency.
- Consolidates the National Cyber Security Division, National Communications System and Office of Emergency Communications into a new National Center for Cybersecurity and Communications (NCCC).
- Gives DHS Secretary hiring and compensation authority for cybersecurity professionals at the executive service level.
- Requires development of comprehensive cybersecurity occupation classifications and a cybersecurity awareness and training program for all federal employees and contractors.