By David Fagan

Yesterday, the Senate Committee on Homeland Security and Governmental Affairs held a hearing on the “Cybersecurity Act of 2012.” Senator Joseph Lieberman (I-CT) introduced the bill, S. 2105, on Tuesday with co-sponsors Senators Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV). S. 2105 builds on prior cybersecurity bills introduced in this and prior Congresses and resulted from a lengthy consultation process — shepherded by Senate Majority Leader Reid and Minority Leader McConnell — with private sector stakeholders, the Executive Branch, and other interested parties. Upon introducing the bill earlier this week, Majority Leader Reid and Committee Chairman Lieberman said that they intended not to hold any committee mark-up and instead would bring the bill directly to the floor for a full vote in March.

As currently drafted, S. 2105 would centralize responsibility for cybersecurity of civilian infrastructure in the Department of Homeland Security (DHS) and require the Secretary of Homeland Security, in consultation with owners and operators of covered critical infrastructure, to conduct risk-based assessments of cybersecurity threats to covered critical infrastructure. The Secretary would have the authority to designate “systems or assets” as covered critical infrastructure if a cyber attack on the system or asset could “reasonably result” in “the interruption of life-sustaining services . . . sufficient to cause” a “mass casualty event” or mass evacuations, or “catastrophic economic damage to the United States.” The bill also would require the Secretary, based on the risk assessments and working with owners and operators of covered critical infrastructure, to establish cybersecurity performance requirements. Owners and operators would have flexibility to determine how best to meet the performance requirements.

The bill also addresses information sharing between the government and the private sector and among private sector entities with respect to cybersecurity threats.  The bill instructs the Secretary of Homeland Security to establish a process to designate “cybersecurity exchanges,” both governmental and non-governmental, to serve as clearing houses for receiving and distributing cybersecurity threat information.  Shared information could only be used to protect information systems from cyber threats.  The bill would provide liability protections for those who share information consistent with its provisions.

Other provisions of the bill address government cybersecurity, future needs, and the international dimensions of cybersecurity:

  • The bill would consolidate existing DHS cyber offices into a new National Center for Cybersecurity and Communications (“NCCC”), to be headed by a Senate-confirmed presidential appointee.  The NCCC would have responsibility for, among other things, coordinating federal cybersecurity efforts, conducting risk assessments of covered critical infrastructure, and developing national incident response plans.
  • With respect to the government’s own security posture and preparedness, the bill would substantially revise the Federal Information Security Management Act of 2002 (FISMA) and move toward continuous monitoring and risk assessment of federal systems.
  • To ensure future cybersecurity needs can be met, the bill mandates education and awareness campaigns, establishes a federal Cyber Scholarship-for-Service program, amends hiring authority for federal cybersecurity employees, and requires development of a national cybersecurity research and development plan.
  • The bill focuses on the international dimensions of cybersecurity, directing the Secretary of State to designate a senior level State Department official to coordinate U.S. diplomatic engagement on international cyber issues, provide strategic direction and coordination for U.S. policy on international cyber issues, and coordinate with relevant Federal agencies to develop interagency plans regarding international cybersecurity.

Witnesses at yesterday’s hearing included co-sponsor Senator Rockefeller, who pledged to introduce an amendment to the bill on the floor to require businesses to disclose material information relating to information security risks and events in filings with the Securities and Exchange Commission (a proposal that had been kept out of the bill in the face of opposition from industry); and co-sponsor Senator Feinstein, who pressed for the inclusion of federal data breach notification requirements in the bill.

 

In time allotted for questioning, Senator John McCain (R-AZ) expressed concerns over the bill, echoing a letter that he and six other Republican Ranking Members of Committees sent earlier this week to Majority Leader Harry Reid (D-NV) and Minority Leader Mitch McConnell (R-KY).  Senator McCain criticized the bill’s co-sponsors and Senate leadership for a lack of consultation with the other ranking members and committees — a criticism that Senator Lieberman refuted.  Senator McCain announced that after the Presidents’ Day holiday he and the letters’ other signatories intend to introduce their own cybersecurity bill focusing on a cooperative approach to information sharing with the private sector.

The second panel of the hearing featured Secretary of Homeland Security Janet Napolitano, who was the only witness from the executive branch.  The third panel included testimony from former Secretary of Homeland Security Thomas Ridge (now the Chairman of the National Security Task Force for the U.S. Chamber of Commerce); Stewart A. Baker, former Assistant Secretary of Homeland Security; Dr. James A. Lewis of the Center for Strategic and International Studies; and Scott Charney, the Corporate Vice President for Trustworthy Computing at Microsoft.

Tags: Congress, Cybersecurity, Cybersecurity Act of 2012
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practice on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and is a partner in the firm’s data privacy and cybersecurity practice.

David has…

David Fagan co-chairs the firm’s top ranked practice on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and is a partner in the firm’s data privacy and cybersecurity practice.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including being named The American Lawyer’s Dealmaker of the Year three times. His work includes successfully securing three of the four Presidential approvals in the history of CFIUS; securing the only Presidential order protecting a client against a proposed hostile takeover; and negotiating the only “golden share” the U.S. government has taken in a U.S. company. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

For more than two decades, David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that encounter challenges in CFIUS; provide strategic counsel to clients on navigating and addressing U.S. national security considerations in commercial transactions; and negotiate solutions with the U.S. government, including equity arrangements, that protect national security interests while preserving shareholder value and U.S. business interests.

In the enforcement area, David has represented clients in numerous enforcement actions pursued by CFIUS, including two of the three largest penalty cases resolved with CFIUS.

Reflecting his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multinational companies to advise on emerging legal issues, including outbound investment restrictions and regulations governing information and communications technologies and services (ICTS), as well as strategic legal projects related to the evolving U.S.-China competitive landscape.

In addition, in the foreign investment and national security area, David routinely advises clients on matters requiring mitigation of foreign ownership, control, or influence (FOCI) under applicable national industrial security regulations. His work includes advising many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions subject to public safety, law enforcement, and national security review by Team Telecom.

Read more about David FaganEmail
Show more Show less