On July 19, 2012, Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), Jay Rockefeller (D-WV), Dianne Feinstein (D-CA), and Tom Carper (D-DE) introduced a revised version of the Cybersecurity Act of 2012 (“CSA2012”), which they initially introduced in February. The revision includes elements drawn from efforts by Senators Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ) to reconcile the CSA2012 with the Republican-sponsored SECURE IT Act (S. 3342).
The new CSA2012 (S. 3414) takes a different approach than the original version to cybersecurity of critical infrastructure. The original bill would have given the Department of Homeland Security (“DHS”) authority to designate “systems or assets” as covered critical infrastructure and to require owners and operators of designated critical infrastructure to meet cybersecurity performance requirements, established by DHS. The new CSA2012, on the other hand, would rely on voluntary private sector compliance with cybersecurity standards. As Senator Lieberman explained, the revised bill relies on “carrots instead of sticks.”
Specifically, the revised CSA2012 would establish the National Cybersecurity Council, chaired by DHS and including representatives from the Department of Defense, Department of Justice, Department of Commerce, Intelligence Community, and sector-specific federal agencies. The bill would require the Council, coordinating with owners and operators, to conduct sector-by-sector cyber risk assessments of critical infrastructure and to identify “critical cyber infrastructure.” The owners of “critical cyber infrastructure” would be required to report significant cybersecurity incidents to the Council. In lieu of government-developed cybersecurity standards, the bill would require sector coordinating councils to propose “voluntary outcome-based cybersecurity practices” (Sec. 103(a)), which the Council would adopt or amend. The Council would then be required to establish a voluntary cybersecurity program for critical cyber infrastructure.
Owners of critical cyber infrastructure could apply to the program by self-certifying their compliance with the adopted cybersecurity practices or providing a third-party assessment verifying their compliance. In exchange for their participation, owners would receive benefits including liability protection from punitive damages stemming from cybersecurity incidents, expedited security clearances for employees, prioritized technical assistance on cyber issues, receipt of cyber threat information, and possibly a procurement preference, subject to further consideration by the Federal Acquisition Regulatory Council.
The revised bill maintains its past proposals for information sharing, authorizing DHS to establish a process to designate both governmental and non-governmental “cybersecurity exchanges,” which would facilitate information sharing. But the revised bill imposes new limitations on how information may be shared. The bill specifies that cybersecurity exchanges may only use or disclose shared information “to protect information systems from cybersecurity threats and to mitigate cybersecurity threats.” (Sec. 704(b)(1)). The bill would specifically limit disclosure to law enforcement entities to instances in which the information relates to a past, present, or imminent cybersecurity crime, an imminent threat of death or serious bodily harm, or a “serious threat to minors, including sexual exploitation and threats to physical safety.” (Sec. 704(g)(2)(A)(ii)). The bill also narrows the definition of “cybersecurity threat indicator” to clarify that shared information must be “reasonably necessary” to describe a cybersecurity threat. (Sec. 708(7)(A)). In addition, the bill would create a cause of action against the federal government for willful violations of the information sharing provisions.
Other provisions of the revised CSA2012, like the original version, would amend the Federal Information Security Management Act (FISMA) to require continuous monitoring and risk assessment of federal information systems. The bill would also address future cybersecurity needs by requiring establishment of education and awareness programs, creating a federal cyber scholarship-for-service program, amending federal hiring authorities for cybersecurity professionals, and mandating development of a national cybersecurity research and development plan.
The Senate is expected to consider the CSA2012 before its August recess. If the bill is adopted in the Senate, it must then be reconciled with bills that the House has passed on specific cyber issues in recent months, as noted here and here.