Department of Homeland Security

Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released a set of cyber readiness recommendations for small businesses.  The recommendations, which CISA developed in collaboration with small businesses and state and local governments, are intended to assist smaller organizations in implementing organizational cybersecurity practices.  While not binding requirements, the recommendations may inform what CISA and U.S. regulators view as “reasonable” cybersecurity practices.

Continue Reading CISA Releases Cyber Readiness Recommendations for Small Business

By Ray Biagini and Scott Freling

We have already seen tremendous fallout from recent cyber attacks on Target, the U.S. Office of Personnel Management, Sony Pictures, and J.P. Morgan.  Now imagine that, instead of an email server or a database of information, a hacker gained access to the controls of a nuclear reactor or a hospital.  The potential consequences are devastating: death, injury, mass property destruction, environmental damage, and major utility service and business disruption.  Now what if there were a mechanism that would incentivize industry to create and deploy robust and ever-evolving cybersecurity programs and protocols in defense of our nation’s critical infrastructure?

In late 2014, Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, proposed legislation that would surgically amend the SAFETY Act, which currently offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism.  Rep. McCaul’s amendment would broaden this protection to cybersecurity technologies in the event of “qualifying cyber incidents.”  The proposed legislation defines a “qualifying cyber incident” as an unlawful access that causes a “material level[] of damage, disruption, or casualties severely affecting the [U.S.] population, infrastructure, economy, or national morale, or Federal, State, local, or tribal government functions.”  Put simply, under the proposed legislation, a cyber incident could trigger SAFETY Act protection without being deemed an act of terrorism.
Continue Reading SAFETY First: Using the SAFETY Act to Bolster Cybersecurity

By Caleb Skeath

Congress approved a package of five cybersecurity bills after a series of votes in the House and Senate this week, increasing the likelihood that some cybersecurity-related legislation will be signed into law by the end of this year. None of the bills address some of the larger, more contentious cybersecurity issues, such as immunity for private companies that share cybersecurity threat information with the federal government. Instead, the bills focus on narrower cybersecurity issues and the structures and procedures of the federal agencies that oversee cybersecurity. Two of the measures, S. 2519 and S. 2521, are primarily focused on centralizing the federal government’s cybersecurity efforts and enhancing information sharing with the private sector, while another, S. 1353, provides for the development of a voluntary set of cybersecurity standards for the private sector. The remaining bills, S. 1691 and H.R. 2592, are focused on strengthening the Department of Homeland Security’s cybersecurity workforce and recruitment efforts.
Continue Reading Congress Passes Five Cybersecurity Bills

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directed the Secretary of Homeland Security to identify “critical infrastructure at greatest risk” within 150 days after issuance of the Order on February 12, 2013.  Section 9 of the Order specified that the Secretary, in consultation with sector-specific agencies, should “use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  The Order further directed the Secretary to provide the list of identified critical infrastructure to the President, confidentially notify owners and operators of identified critical infrastructure, and establish a process for such owners and operators to request reconsideration of their identification.

On April 17, the Department of Homeland Security (“DHS”) issued a Federal Register notice regarding its actions pursuant to Section 9 of the Executive Order.  The Notice reports that after consulting with  “sector stakeholders,” including critical infrastructure owners and operators, sector-specific agencies, and subject-matter experts, the Secretary of Homeland Security provided an initial list of identified critical infrastructure to the President on July 19, 2013.  DHS explained that it has completed the process of notifying owners and operators of critical infrastructure that has been identified as “at greatest risk,” and therefore “[i]f critical infrastructure owners and operators have not been contacted by DHS in connection with their status on the initial list, then such infrastructure has not been included on the initial list.”  The list of critical infrastructure at greatest risk will be updated annually going forward.

Continue Reading DHS Announces Reconsideration Process for “Critical Infrastructure at Greatest Risk”

By David Fagan and Josephine Liu

The Obama Administration today sent Congress its long-awaited legislative proposal for improving U.S. cybersecurity.  The proposal is in the form of individual legislative amendments tackling various issues, packaged together as a comprehensive legislative framework.  As we previously discussed, cybersecurity is a subject of interest in both chambers of Congress.  Senate Majority Leader Harry Reid and six Senate committee chairs requested last July that President Obama provide input on cybersecurity legislative reforms; today’s proposal responds to that request. 

While the legislative proposals are extensive – the complete section-by-section analysis is, on its own, more than 20 pages – the following provisions are likely to be of particular interest for businesses operating in this space:

  • National data breach notification.  The proposals would seek to create, for the first time, a unified federal standard for notification to customers in the event of a security breach.  Specifically, business entities would be required to notify customers following the discovery of a security breach involving sensitive personally identifiable information, and also to notify law enforcement and national security authorities under certain circumstances.  These provisions would preempt the 47 existing state data breach notification laws, and would be enforced by the FTC and state attorneys general. 
  • Development of critical infrastructure cybersecurity plans.  DHS would work with industry, through a rulemaking process, to identify core critical infrastructure operators and specific risks.  An entity would not be designated as a critical infrastructure operator unless (1) disruption of the entity’s operations would have a debilitating effect on national security, national economic security, or national public health or safety; and (2) the entity depends on information infrastructure to operate.  Operators designated under this process would be responsible for developing cybersecurity risk mitigation plans, which would be assessed by third-party auditors.  DHS would be authorized to enter into discussions or take other action if operators’ plans are insufficient. 
  • Voluntary sharing of cybersecurity threat information.  The proposal would authorize private entities to share cybersecurity threat information with DHS, and would provide them with immunity for doing so.  DHS would be tasked with developing policies and procedures to minimize the impact on privacy and civil liberties and to prevent misuse of the shared information. 

Continue Reading White House Releases Legislative Proposal on Cybersecurity