By David Fagan

Yesterday, the Senate Committee on Homeland Security and Governmental Affairs held a hearing on the “Cybersecurity Act of 2012.” Senator Joseph Lieberman (I-CT) introduced the bill, S. 2105, on Tuesday with co-sponsors Senators Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV). S. 2105 builds on prior cybersecurity bills introduced in this and prior Congresses and resulted from a lengthy consultation process — shepherded by Senate Majority Leader Reid and Minority Leader McConnell — with private sector stakeholders, the Executive Branch, and other interested parties. Upon introducing the bill earlier this week, Majority Leader Reid and Committee Chairman Lieberman said that they intended not to hold any committee mark-up and instead would bring the bill directly to the floor for a full vote in March.

As currently drafted, S. 2105 would centralize responsibility for cybersecurity of civilian infrastructure in the Department of Homeland Security (DHS) and require the Secretary of Homeland Security, in consultation with owners and operators of covered critical infrastructure, to conduct risk-based assessments of cybersecurity threats to covered critical infrastructure. The Secretary would have the authority to designate “systems or assets” as covered critical infrastructure if a cyber attack on the system or asset could “reasonably result” in “the interruption of life-sustaining services . . . sufficient to cause” a “mass casualty event” or mass evacuations, or “catastrophic economic damage to the United States.” The bill also would require the Secretary, based on the risk assessments and working with owners and operators of covered critical infrastructure, to establish cybersecurity performance requirements. Owners and operators would have flexibility to determine how best to meet the performance requirements.

The bill also addresses information sharing between the government and the private sector and among private sector entities with respect to cybersecurity threats.  The bill instructs the Secretary of Homeland Security to establish a process to designate “cybersecurity exchanges,” both governmental and non-governmental, to serve as clearing houses for receiving and distributing cybersecurity threat information.  Shared information could only be used to protect information systems from cyber threats.  The bill would provide liability protections for those who share information consistent with its provisions.

Other provisions of the bill address government cybersecurity, future needs, and the international dimensions of cybersecurity:

  • The bill would consolidate existing DHS cyber offices into a new National Center for Cybersecurity and Communications (“NCCC”), to be headed by a Senate-confirmed presidential appointee.  The NCCC would have responsibility for, among other things, coordinating federal cybersecurity efforts, conducting risk assessments of covered critical infrastructure, and developing national incident response plans.
  • With respect to the government’s own security posture and preparedness, the bill would substantially revise the Federal Information Security Management Act of 2002 (FISMA) and move toward continuous monitoring and risk assessment of federal systems.
  • To ensure future cybersecurity needs can be met, the bill mandates education and awareness campaigns, establishes a federal Cyber Scholarship-for-Service program, amends hiring authority for federal cybersecurity employees, and requires development of a national cybersecurity research and development plan.
  • The bill focuses on the international dimensions of cybersecurity, directing the Secretary of State to designate a senior level State Department official to coordinate U.S. diplomatic engagement on international cyber issues, provide strategic direction and coordination for U.S. policy on international cyber issues, and coordinate with relevant Federal agencies to develop interagency plans regarding international cybersecurity.

Witnesses at yesterday’s hearing included co-sponsor Senator Rockefeller, who pledged to introduce an amendment to the bill on the floor to require businesses to disclose material information relating to information security risks and events in filings with the Securities and Exchange Commission (a proposal that had been kept out of the bill in the face of opposition from industry); and co-sponsor Senator Feinstein, who pressed for the inclusion of federal data breach notification requirements in the bill.

 

In time allotted for questioning, Senator John McCain (R-AZ) expressed concerns over the bill, echoing a letter that he and six other Republican Ranking Members of Committees sent earlier this week to Majority Leader Harry Reid (D-NV) and Minority Leader Mitch McConnell (R-KY).  Senator McCain criticized the bill’s co-sponsors and Senate leadership for a lack of consultation with the other ranking members and committees — a criticism that Senator Lieberman refuted.  Senator McCain announced that after the Presidents’ Day holiday he and the letters’ other signatories intend to introduce their own cybersecurity bill focusing on a cooperative approach to information sharing with the private sector.

The second panel of the hearing featured Secretary of Homeland Security Janet Napolitano, who was the only witness from the executive branch.  The third panel included testimony from former Secretary of Homeland Security Thomas Ridge (now the Chairman of the National Security Task Force for the U.S. Chamber of Commerce); Stewart A. Baker, former Assistant Secretary of Homeland Security; Dr. James A. Lewis of the Center for Strategic and International Studies; and Scott Charney, the Corporate Vice President for Trustworthy Computing at Microsoft.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

David’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues—including through proactive mitigation and carve-outs—is a critical path for the transaction. David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multi-national companies across a range of industries to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China, as well as on emerging legal issues such as outbound investment restrictions and regulations governing information and communications technologies and services (ICTS). David also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In addition, in the foreign investment and national security area, David is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

In his cybersecurity practice, David has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. David has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.